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(57) For each of two computer systems 
a program in which memory 
checksum tests of fixed memory and 
complementary tests of variable 
memory are performed, the program 
being interrupted for utility programs 
which are responsive to transducer or 
other sensor and discrete inputs to 
calculate control values for operation 
of control actuators or other 
responsive devices. The utility 
programs include specific self test 
routines. A direct memory access unit 



is included in each computer for 
moving data between the memories of 
both computers. Periodic testing of 
fault codes registering the status of 
each computer is done during utility- 
program routines, any variation from 
normal causing farther routines to be 
performed. Neither computer checks 
the internal status of other, but inputs, 
results and data link transmissions 
must compare equal between the two 
computers, or routines determine 
whether one computer will recognize 
itself (or a component thereof) as 
being faulty, and disable itself. If not, 
then each computer disables itself 
after disabling the other. 
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In accordance with the invention, a plurality of computers include a plurality of specific self tests, 
including bit-by-bit memory tests of portions of the memory which may be used in a simplex mode ,n 
which one computer continues to operate after another computer has been disabled eac ^computer 
capable of assuming the disabled mode in the event that it should fa.lany of ,ts self tests, the b.t by bit 
5 memory test being performed in whatever portion of computer time remains-after P**°l™ n 9f™°} 
™d self test functions, each computer checking its answers with thatof another compOtsrj when , not 
disabled each computer in response to the other computer assuming the disable status shedding 
u^ecess^control functions to increase the rate of performing the bit-by-b.t memory test, to thereby 
compensate for the inability to check answers with another computer. ;- - ■> - 

1 0 In accordance further with the invention, each of a plurality of computers, interconnected by a 

data link having a DMA controller associated with each computer, operates under aerogram of 
Amotions in which each computer has a continuously operating background job and is interrupted 

' repetitively by real time interrupts in which utility programs, including V 1 ^™?**"??;™* 
performed, the computers being synchronized by synchronizing a principal one of the readme 

1 5 fnte°rupts together in the computers, the direct memory access controller of each computer being 
™™ro?hS to that computer through the timing of said principal real time interrupt. According strtl 
iZher to the invention, the background program in each computer , s devoted.exclus.ve-ly^o ££e*s. 
each computer has the capability of assuming a disabled mode upoti failure of.enyof its self tests and 
f^Lt?™ its Status to another computer, each computer when sensing that anothar.computer has 

2oSuS 20 
compter running time for the utility programs thereby to increase the ratio of self testing perfo med ,n 
the background program to the number of utility program functions performeo In acccrcance further 
with the invention, the control functions performed by the utility PW™"**™ ** 
Zerrunts include DOrtions related to controlled process functions which coulo be dangerous if not 

25 nerformed Droperi! a\Sf?nclons that should be performed if avail possible, and each computer is 25 
cloaLTe upon sensing' hat another computer is in the disabled mode, of skipping those utihty program 
portions relating to dangerous functions while performing utility program portions relating to those 

functions that should be performed if at all possible. ^ - 

functus that sho ^ p ^ ^ ^ of th invention wH. be,o = 

30 apparent in the light of the following description of an exemplary embpd.ment of the .nvention as 

"•^^ ;^^ct^o»m of a dual compute, aircraft control system embodiment of 
the Pr RglTe2Tsf simplified schematic block diagram of output circuitry for use in the embodiment of 

35 Figure 1; ^ dia ammatic illustration of the relationship be*/yeen the background program, 

utility program and the DMA control machro program in the embodiment of Figure *> - . 

F%ure4is a logic flowchart of the initialize and background job programs for the embodiment of 

40 R9Ure Figure 5 is a logic flowchart of the machrosynch interrupt program for the embodiment of Figure *0 
1 ; Figure 6 is a logic flowchart of a real time interrupt entrance and return program-for the 
■^SS 7-1 0 arelogic flowcharts of the respective first through fourth realtime interrupt ^ 

45 Programmer ^^^^^ of alternative autopilot program portions^ the fourth rea. ' 

Figure 1 6 is a simplified logic flowchart of the roll inner loop calculation subroutine of the go 
50 P ro 9 ra F ^;g 7 u r s 9 a 7 • imp| . f . ed |og . c fIowcnart of the ro „ inne r loop output subroutine of the program of 

F ' 9lir Rgure 1 8 is a simplified logic flowchart of a resolve link subroutine used in the program of the 
55 emb °SSSS t 1 £ fsTsTmplified logic flowchart of the simp.ex subroutine portion of the program for the 55 

embodimenyf Rflujj^ )ogjc ilow ^ an of the disable subroutine portions of the program for the 

embodiment of Figure 1 ; and m cir,,.r<* 1 q 

Figure 2 1 is a simplified fade in/out calculation subroutine for use in the program of figurel 3 
60 The description herein is in many instances simplified by use of short, nomomc term.nology, all of 6C 

which is identified in a table of nomenclature, set forth hereinafter. 
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Nomenclature T 

1 =Associated w. C1 (=SELF) • -,t - = o 

2=Associated w. C2 (=OTHER) * r ::~ r 
■ ; :• ACC=Accelerometer - '* 

5 ' . t 'ACCEL=^Acceilerometer* . • - ^ -~ ~ . . r- : . 5 

. A/D=An a log-to-digital *! " * :T » • • ■ - - .* " ;i 

ADR=Address^-. ..*• ■ ' ; * - *- ^ ^ . 

ANAL=Analog ... ' -.•■* J ; ' ;■ ' ' v . - 

. ATT=Attitude r:;.r - . ■*/•:•>•«.. \j i . ; .:. 3* . ■.. • ■ . . 

10 AUG— Augmentation ;w » "i:: t . • r, - .* v <c- 3 . : ; • -;. 1° 

AVG=Average- .» . •: !' .. ' ..• ' v . . '. \ ; 

BG— Background program - r: c > * ■ ■ . , . r 

- . BITE^Built-in Test or Built-in Test.Eo^Jiprnent ^ , j "v- ; " - ; 5 
-.; BOTK=C1- and C2, selland. other » . .•*:■* , : 

15; rCI ^Computer 1 : (=SELF) * „ t 5 \ i: - :: > ■ •.»■.- :.r , 

. ; . C2=kComputer 2:(=OTHER) c; > r ' " „ * . j . • - . ^ 

, . f ; CALC^Ca leu late, calculations ; r. .* - v ' Y s * . ' : ' . . * . 

::• :OHK~Checkv, ■ ■..,<•/ ^-*c- ~: : . . :/ .: 

. .CLR=Cle.ar . c - V'„'\->f _ .v.- j ■ .•■ o-.. - * - * . 

,20. . CMND==eommandi ^. — j ' .. . . - a > 20 
CMPR^Compare ' v*-v - : , , . . 7 

a COEF=Coefficient.; ■. - - \ -'tL-.j : ^ , : / . ^ : 

- .CO LL=Go fleet ive Pitch v . * :d .r- t . ^ % 
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CPU^Gentral processing unfr 1 1 r. . ^ 
.25 ;vi .CRIT=Critipal " / j< •<>:." . - . - - 25 

i : CTR=Counter ., c: / > ~ • : . 

CTRL=Control r . - - ■ - ^ ' > : 

CTRLR=Gontroller : ; - . 

: D/A=Digltal-to-anaIog . , , c ^ t 

30 DECR=Decrement ... * ^ ^ r . ^ -r .:-..«•'. ■■ 30 

n :DMA— Direct Memory Access- . j; • ; : ~, * . ■* - 

DSABL=Oisab*e ■ _ . 

. ... DSCRT==Discrete. ; . - w -r: . r ' ' a ■: h : 

DSPLY=Display , 
35 EN=Enable :r . r 3 ^ 

EXEC=Executive program control- * u , ; 

-FAS=Force Augmentation. system •? > ■ # - ■ • , ( 

FB=Feedback 

: FLT=Fau!t f fr .; ■ -. , ■ . .:.r k ^. ; * • Aft 

40 GRND=Ground (Earth Surface, Not Elec.) w 
INCRMncrement . ^ f - c ■ , -. ; : .: . :. 

|RPT=lnterrupt 

LAT=4-ateral*. . v H. m . ! * i .r . . l 

MAINT=Maintenance \ 1 ' ~ 

45_-, MEM=Memory>- - c • »• ■ ■ ; r • i 45 

MS=Milliseconds 

N— No . . - . ^ 

NG=NQ,good * • •* * 

NON-SERV=Non-service mode 
50 NORM=Normal : 50 

OTHER=Computer 2 
PWR=Power ■ - 

RAM=Randpm Access Memory 

RIL=Roll inner loop ■ * 

55 ROL=RoM outer loop 55 

RR=Roll rate gyro related 
RRT=Roll Rate 
RRG=Roll Rate Gyro 

RST=Rest v 
60 RSTR=Restore 
RUTN=Routine 
SELF=Computer 1 

SERV=Service mode f r 
SMP/DUP=Simplex and/or Duplex / 
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. Nomenclature (contd.) . 

SMPLX=Simplex / \ V 

STAT=Status * . 

SWX=Swftch - " s " - -. . '.-.r - ; - , _ , . 

5 SYS^System being control Isd 1 r' ^ r i . . . - ? ■ - 5 

: ' T0F=Turn off - . t . • :.. , 

; : 'TCN==Turn oh - " - ' .: :: - , : ■ . r'Xi-;.. ..•■*...' . - ' 

;tST=test : :; * -r . , . ; -: t . . , - - ...... . ..." 

' VERT^Vehicai ; r "<^ -.V " : ^ : . 7 . . /. . ; r ;0 
10' VG=Vertical gyro " - . •*. % . : J . * ' * :* -^r . ..v.-,. . - 10 

/ 'WD=Word ' ' - ' ' , :; . . *z x - . , ! 

WRAP^Wraparouhd test or configuration - . : - 
XS=Excess (more than full count) ^ . v., 

Y=Yes ' •■ : ' v - ^ . • : . ^y tr % . r - * r .... 

1 5 Referring now to Figure 1 , an exemplary .er^bpd^ wi"9f ^b f e pre^nt invention utilizing two 1 5 

computer-systems to provide : f aiUoperatipna!, jFajlrS^fe/^^^ control system of an 

aircraft, such as a helicopter! is shown in simpitf form. In Figure 1 , 
exemplary portions of an.aircraft flight- control system, 30 .ar^c^ a first computer system 3 1 , 

referred to hereinafter as computer-1 or, CI , and a second.computer system 32, referred to hereinafter 

20 as computer 2 or C2; As used herejn, the numeral "1 "".or ^designatjbn ^C'l " associated witn any ' A 20 
particular apparatus br.f unction designates relationship ; with .cpmputeM , 3 1 (and cdncbmitantly for 
- computer 2). The description hereims given. in ! 
absolutely identical thereto. As j$ described mW 

two; each is absolutely identicahand totally repiaceabje^'ne^dr the other, Th6 program in. elthef- 

25 will work in.the other, the addresses in pne de^ \. * 25 

in the other; and so forth.rThereris no master/sfave i ^ relatiopsKjp vyhatsoeveK The 1 orily difference c . 
between the two'is that there is : a designationWone as b^ing 1. arVd;the other as being 2, more c 
to identify the equipment-bay in which the apparatus is located, } ahd !. therefore which switches 
and indicators referto which equipment on a central or cpmn-sorY control panel which is associated with 

30 the system 30 end includes functions and displays respectively relating to each of the systeVhs 3 1 , 32. 30 
For that reason- the description of computer 1 will be given' it being understood that it is completely 
applicable to computer 2; in fact, wherever 1 appears, the Lterm ''self",coulcl be substituted arid 
wherever "-2" appears, Jhe term "other" could be substituted, arid then the description would be totally 
apt for either system 3 V3£. , . : Ut [, : r , ... 

35 This is an important feature of the invention, since there is.absblutely no master/slave relationship -35'- 
whatsoever; egch system operating yyith complete autpribmy a*hd authority insofar as its program not 
being subservient to. that of the other is concerned. . r . ^ - 

Referring now and hereinafter almost exclusively to the computer system' 3 1 , designated as C1 , 
there is.provided a CPU 34 capable of the normal arithmetic a nd Jog io, program and interrupt; memory 

40 access and output functions, which includes a master clock utilized generally throughout the system 40 
31 . The CPU; 34 has associated wjth it a fined memory 35,.a^ scratch pad memory 36 and a pair of 
random access memories 37, 38 which are reachable by a direct memory access controller 39. The 
DMA controller 39is synchronized to the CPU 34 by means of the CPU's mdster clock, arid in particular 
by means of a MACRO SYNCH interrupt clock signal provided on a,.lihe 40, which aisp provides , 

45 synchronism between the two systems, The. CPUs in both systems .eacb have their.own master clock 45 
circuitry, operating on a frequency designed to be identical vyith that of the other, Hdweyer, as 'is. 
-described more fully hereinafter, synchronization between systems and between each CPU arid its 
related DMA controller is accomplished, only once in every five utility program performances, by a 
specific timing signal designated as MACRO SYISICH (MS), which is utilized as the first of the utility 

50 program interrupts in both systems, and as the kick off point for the program of the DMA controller ' 50 
which, being controlled by the master clock of the related CPU, is very accurately timed therewith to 
provide data moves without utilizing CPU processing time, and without holding up'any CPU processing 
operations. Either CPU can in fact.provide the controlling MACRO SYNbhi (and other clock signals) 
between both CPUs and DMA controllers; in dependence upon which is the first to occur; the 

55 occurrence of the first one (through suitably race-preventing circuitry of an well known type) 55 
automatically resets the other so that both master clocks are tracking insofar as the initialization of 
MACRO SYNCH interrupts are concerned. In fact, since either MS will serve both computers, it matters 
not if one MS fails, the other will serve. So no major shutdown need occur due to failure of only one 
MS. As is described more fully hereinafter, it is a feature of the present invention that utilization of real 

60 time interrupts to perform utility programs avoids the necessity of precise synchronization between 60 
computer systems, and also provides a simple manner of adequate synchronization between each CPU 
and the DMA controller; this feature also permits maximum, flat-out utilization of CPU time either for 
utility programs or for a maximum amount of self checking program execution during a background job 
which is interrupted in order to handle the utility programs. 

} 
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The DMA controller 39 controls the function of an A/D converter 42 /an input analog multiplexer 
therefor 43 ( and a system input multiplexer 45 which can select between the ^/D : converter output and 
other digital or discrete inputs for application to the system. The multiplexer 43 is responsive on the 
one hand to analog sensors 47 and to analog feedback signals on lines 48 provided by output circuitry 
5 50 and indicative of actual response to commands provided to the= system ; 30.,Jrje A/P converter 42 5 
may include AC demodulation circuitry as necessary, as well as voltage to digital conversion circuitry, 
all in a well known fashion. In addition to the A/D converter 42, the multiplexer 45 may-respond to a 
variety of system status lines and control switches 5 1 as well as discrete indications on. lines 52 from 
the output circuitry 50. The DMA controller 39 provides two types of data moves.One type js from the 

10 multiplexer 45 into identical slots of memories 37 and 54. Memory 37 is designated C1./C1in Figure 1 10 
to indicate that this is a memory in C1 for storing data originating either within C1 itself 'Or.-within its 
associated inputs and/or output feedbacks. This first type data^ove also .applies, the same data from 
the multiplexer 45 into an identical slot in a DMA random access memory 544r^C2, whichjs 
designated as C2/C1 in Figure 1 to indicate that it is a memory in C2 which receives information 

15 generated by C1 . or by its inputs. or feedbacks. ^ 15 
: The "DiyiA controller 39 alsp.providesifdta moves from C1/C1 to C2/Cl; This type.of data move is 
used during a wraparound data liriicie'st ffi v W6veVata from the merrfdry''37 to the memory 38 (and 
; concomitantiY-iri C2) .after a transfer of iiri^/hasbeert rrTade as indicated bytthe dottedHines 55-in 
, " L Figure'l , th&eby to'.pyfmit t ^ to the~memory.38 which, etfter 

20 checking, wfli .determine in'sbme tf e£rW thie health of the data paths involved. The utilization of this 20 
test js" described qrlpfe fully he r^indft^r. The CPU 34 has a watchdog timer 56 of a known type which ; . 
has to "be reset perib^icaily^ in the programmer fcwirt establish an alarm on a 

line 57. whichjs applied directly to fast-ac6^ss statife registers 58 and to the output circuits 50 for use 
in shutting dbvin;the system? as is dfescnl)etf more fulfy with respect to Figure 2 hereinafter. The status 

25 registers J 58 also ^ecen/e inputs ^fPxsfri'm^riteriSnce* switches in a maintenance panel 60, which also has 25 
displays responsjve.tb outputs : from thfc tPM) on a data bus 61 . These outputs on the bus 61* may also 
be applied to an pperator'cohtro? panel' (subh as a 5 pHbt's panel m a cofckpit of an aircraft, or the system 
control panel of any system using the pr^'entinvention)-'The outputs on the bus-:61 may berOR'd A/vith 
Ij^outputs from thfe ojher'comtfuW, rf desired. The computer 34 has access to.any of its memories 

30' 35—38 through a data bus 63. The CPU 3'4 is alsb associated with a small, nonvolatile memory 64 30 

* , (such asmagnetic pores), the contents of which is preserved even through power down intervals. This 
' is utilized to store critical status indicators of the related computer, and is updated periodically/and 
whenever the related computer is disa^lfed; it also stores i 

The output circuit 50 pfovidfes, interafia; current through a closed loop pair of lines 66, 67 to the 

35 control coil .68 of a hydraulic servo trim valve 69 which is also responsive-to a coil 70 controlled by C2. 35 
In normal operation, each. cbiLWou Id provide half of the magnetic force On the servo or trimvalve , _ iKt 
necessary for a desired response; in either simplex operation or if one 6oH fails, one^coil would provide 
a full command to induce the magnetic force necessary for the desired response, while the other coil 
would contribute nothing. TKd valve *69 r (s y^)gnated > RIL £ (rdl'i'Tnnerl6op) in Figure 1 ; this is only one of - 

40 a number of such valves whieh : maybe ptoyi^ control system, but which is described 40 

more fully hereinafter. , / ^ "[' J ' *■ ■'■< • 

. An additional type function of theoatp t ut^iric*uftry L 50 is'pfovision of a discrete drive signal on a 
" line 72 '.whjch.rriay operate en Oft circuit *3,-wHierj in %Urn opens a mainhydrauiic valve to 
" enable operation of a hyH radii cservo system used* in trtexorrtrdrof the aircraft. The OR circuit 

45 73 may be operated, conjdintly'or alternatively bye like signal from €2. instead of an OR circuit, 45 
" an AND circuit"may be used for dangerous fGnctions, requiring both C1 and C2 to participate. 
Whether or not the valve has opened is indicated 6y a discrete signal on a Tine 76 which 
carries the infoWriatiOri back to the output circuitry SO.'The valves 69, 74 are illustrative merely of large 
numbers of such valves which may be controlled in accordance with 1 the teachings herein. 

50 Alternatively, of course, electromechanical a ctuatdrs,- pneumatic valves, selsyns, or other forms of 50 
actuators may obviouslybe controlled &y a system of the type described herein, the valves shown * 
_ being merely exemplary. - / 

As described briefly hereinbefore, one of the most prominent features of the present invention is 
that each computer is autonomous and is in no fashion a slave to the other. Each computer has the 

55 capability of disabling itself in the event that its own self tests, including the memory check sum of 55 
every bit of the critical portions of fixed memory 35 and the scratch pad test of the critical portions of 
the scratch pad memory 36, as well as the wraparound data link check and other critical tests 
performed during processing. In addition, in any event where the two computers do not agree with one 
another, some action is taken. In cases where further testing could resolve the difficulty, and determine 

60 which computer is at fault, such tests are performed. In the case of disagreement of inputs, either 60 
computer may decide that either its inputs or the other inputs are faulty, and take the faulty input 
device off line. Either computer may decide that one of its outputs is. faulty and disable it. And either 
computer may decide that it is faulty by virtue of its own self test and take itself off line. But if, after 
further testing, the problem of which computer's input or which computer is at fault isn't resolved, then 

65 both input devices, or both computers are taken off line (disabled). Another feature of the system 65 
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according to the invention is that, in the event of an unresolved conflict between the two computers, 
each computer may take both off line, but only by ensuring that it disables the other computer 
simultaneously with disabling itseif. The disabling of the other computer is accomplished by a hardwire 
connection 78 from the output circuitry 50 of computer 1 to similar circuitry in computer 2 arid by a 
5 hardwire connection 79 from, the output of computer 2 to the output circuitry 50 of computer 1 . This is 5 
in addition to status words that may be iodgeS in the opposite computer by means of normai data 
movesof discretesignal; thrdugh'the DMA; - - -"\ : - 

Re^errirrg r riow;td Figure;2V : the Output circuitry 50ihc)udes l an output digital to analog converter 
80, respphsiye to cfrjgMrf output commands on lines^ 5^ b associated with the computer output bus 61 
10 in Figure 1, to provide an an^ for -jo 

distribution as determinecj by a de-multiplexer '82 in response'to an output device address applied 
thereto on a bus 61c, which is also associated with the computer output bus 61 in Figure 1. Referring 
specifically to the roll inner loop control Valve 68, the demultiplexer 82 will provide an analog signal 
on a line 84 which is stored in a sample and hold' (or tracks 85, thfe output of which is 

15 suitably driven by a driver 86rwhich in the present embodiment is^bilateral, operating in responseto 15 
balance ther^ositive and negative voltages (such as ± 1 9 voits'dn a;pair of lines 87, 88). The iiries'87, 
88 are in turn energized through respective contacts 8S of a povver sever relay 90, which Wnormally 
open/and maintained in an energized condition by a signd on a line 9 T from the set side of a latch 92, 
'which is normally set. The contacts 89 are in turn enerjized by a suitable driver power supply 93,-an 
20 output of which on a line 94 may also be used to proviae^power to the latch 9 1 , thereby ensurirtgthat. 20 
the output of the latch on the line 91 will disappear in the event of failure of the power driver 93, 
thereby disabling all of the drivers 87, 88 in a symmetrical fashion so their-outputs will go to zero, 
f while at the same time providing a C1 disabled discrete output onthe line -52 (b) to the multiplexer 45 
(Figure 1 ). Otherwise, the drivers fed by lines &7;>88 rnay^have continued to operate in an imbalanced 
25 fashion and provided faulty outputs/ . : : : t ; ; - : v , r - ■-, . v 25 

The driver 86 feeds the lines 66, 67 to provide the precise current commanded for the valve coir; 
6S through relay contacts 96, which are normally open, and are closed only through energization of an 
associated relay coil 99. The relay coil 99 isnornialiy^rKv-gized by a signal on a line 100 provided: by 
the set side of a latch 101. Other valves are. similarly, driven through contacts, the:coiLof which is 
30 energized by latches, such as latch T 102; Remqvaiiofpowerto the .relay coil 99 causes the contacts 96 30 
to open, thereby ensuring that there is no current through the coil ,68, which thereby disables the 
output of computer 1 , insofar as that coil is concerned. Similarly, if the latch 1 02 is reset, relay 
contacts 1 04 related to a servo valve coil 105: will open, ensuring that the valve coi! 105 will have no 
current through it. The latches 10 1-, 102 maybe individual!^ selectively reset so as to disable only the 
35 associated coil (68, 1 05, respectively) by discrete- output disable signals on related lines 6 1 'a-1 and 35 
6 1a-2, and so forth. These latches may also be reset, in response to OR circuits 106, 107, altogether — 11 
as a single unit in consequence of the C2 disabled signal on the line 79, which comes directly from 
computer 2, after ensuring it has a 1 MS duration by means of a .1 MS delay 1 08 and on AND circuit 
109, to provide asignal on a line 79a. Similarly, the outputs to the valve coils 68, 105 may be faded 
40 down to zero individually, or successively, by providing suitable output command words on the t>us 40 
6 1b. through the multiplexer 82. Thus+he sample end hold 85 cop be set to zero irrany case where the 
coil 68 is desired to be, not energized by computer 2, in the case of degraded operation without one or 
a few outputs. Or, all of the sample and hold circuits may be successively set to zero by repetitive, 
suitable output commands through the D/A .converter 80 and the "de-muftip!exer 82. In the case of 
45 closing down oneo-tput, the digital word supplied to the D/A is faded out slowly, because C1 can be 45 
trusted, and operation is smooth. But in disable operations, the computer cannot be trusted to fade ovt 
slowly, so the D/A is driven to zero all at once,- for all outputs. The latches 92, 1 01 , 1 02 are initially set, 
so as to energize the associated relay ceils 90 ... 99 in response to a power-on^reset discrete signal on 
a line 6 1 d, which may form a part of the CPU output bus 61 shown in Figure 1 . 
50 There has thus been initially described founways for the coils 68, 1 05 to be disabled and provide 50 

no further system response: The coil circuits may be opened one at a time by output disable discretes 
or altogether by the C2 disable C1 signal; the drivers may have their voltages removed by the relay 
contacts 89, or the sample and hold circuits (such as 85) may be driven to zero. 

Similar controls are provided for the servo valve 74 referred to briefly with respect to Figure 1 
55 hereinbefore. Specifically, a latch 1 1 0 may be set in response to a suitable enable servo discrete signal 55 
on a line 61 (associated with the CPU output bus 61 in Figure 1 ) to provide the signal on the* line 72 to 
the OR circuit 73 to enable the servo on valve 74. The latch 1 10 may be reset in the case that power 
thereto is lost from a line 1 1 1 which is fed through a relay contact 1 1 2 by a discrete power source 
1 1 3, the relay contact 112 being normally open and maintained closed by current through its 
60 associated coil 1 14 in response to current on the line 91 (described hereinbefore). The latch 1 10 can 60 
by reset by an OR circuit 1 1 5 in response to a discrete disable signal on a line 6 1 a-3, in response to the 
C2 disable C 1 signal on the line 79a, or in response to a power-on-reset signal on the line 6 1 d. The 
latches 92, 1 01 , 1 02, 1 1 0 are illustrative merejy, and may take the form of suitable flip flops feeding 
adequate driver amplifiers, or other circuitry as best suits any particular implementation of the present 
65 invention, so long as the logical functions described herein are amply provided thereby. 65 
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The disable control circuit per se is shown in the lower left of Figure 2. This includes an OR circuit 
.1 1 7 which is responsive. to the output from the watchdog timer on the line. 57, a disable self signal 
from computer 1 pn the line 6 1 e, a disable both signal from computer T on a line 6 1 f, or the C2 disable 
C1 signal on a'line 79. The OR circuit 1 1 7 provides a signal on-line. 1,18,10 an AND circuit 120, and 
' 5 through , a 2 millisecond delay ci^ 120 may be 5 

blocked during maintenance operations if desired, by a signal on-a line. 61 gjf npt flocked ,by a* 
maintenance signal, the AND circuit. 1 20,wH) operate, 2 mUlis^cpnd^ after the signal.on jipe 1 18 
appears, provide^^^^ 

signal operates the OR-circuif iij 7 \t shquid^e a steady signal a$d no.t jusla i^hqrt- noise spike. The 
1 0 AND circgrt~l20 will rese^th'&latch^ to\c^use c the.signaTon. \he line 91 to disappear, thereby 10 

v - releasing the relay contacts 89,, <apd deWneggjzin^^ 86). when reset, the latch 92 

''• r will provide\a„signa I pn a line 122 to air\ AND, ^tjrpuivAi^^h\ifjS4S alsc>resppnsive to the Cl disable both 
signaTbn th^Jjrie 6 1 f ; this.ensuresjtbatjnihe h^a of computer ^.t)ec}p[[ngAq disable bpth computers, 
~ (t it~is : npt effective to provide the G1 ^i^^i^C2;Signa[.off the. Iine78 uritjkjt ensures at (past one of the . 
1 5 Jmocle^pf disablement ha^e, taken pl§ce b^f rese^in^pf t£e latch 92 . tjO^/ovide the- signal ojvthe line 1 5 
, "j22 3 0f course, the set stW o^ wi^an/jnyerter ta provide the' ty 

y dissbWC2 signa|6^ V. 
-' ; amplifiertq drjye thWrejay cqil£ Sjb/l,f$^^^ be 
madei/i^wi^ upoQjhe particular cireuits; which, are desired to be 

20 usedinj^plem^tirj^any^embodiment p| the prpaent Invention. . - . . •■ ^0 

f K:;Th&puiput circuitry 50 of Figured also* provides discrete feedback signals aijd anaiog^feedback 
signaj to the inpat of computer n^soithattt may monitor the-health of its output circuits. Specifically, a 
^ discrete outpufcsignal on a^ine :52 a derived from the'rfeedback line 76 provides £ discrete feedback 
signal indicative of the servo ON valve 74 being energized, to theirrjultiplexer 45 of computer ,1 {Figure 
25. t). TheXH disable" C2©ignal on.the Kne' ?S may <a!so>be provide .as a discreteinput to the multiplexer 25 
r 4 <4*3.fn Figure J over a line 52c- '-and the factthat the driver.voitag.es haye been removed by the contacts 
\i89 maybe monitored by aC1 disabled tfiscFete signalapplied Jto the multiplexer^ ovter> lir>e, 52 b 
(Figure 11 Further, analog signals. may be provided from the circuitry of Figure 2 .to the input jof the, 
'* ' analog multiplexer 43; ? For instance^ tte a ctuarvoltage value of the'discrete power supply .1 1 3 may be 
30 provided on a line 46c; a voltage indicative of the voltage output on the lines 87, 88 fcom-the driver 30 
power supply 93 may beprovided 6rrthe ; line 48b ;Jf the driver power is balanced to -ground, the- line 
' 48b may be attached ^across a load resistance^in such a fashion as to prpvjde a specff ic discrete - s 
. positive or negative Voltage'fsucfr^asti+B. vorts) indicative of normal balanced, voltage on the line 87, 88. 

Each of the servo valve coite (such as €8) may-betprovided with a current-to^yoltage converting resistor 
35- 1 26 to supply a voltage un a line 48ia):to thejnput of the A/D converter multiplexer 43 indicative of 35 
the actuai current throughthe coH;fcr<comparison with the command supplied thereto, in feedback ; 
tests whichare described'hereinafter.. & :^ . ♦ . c ^ - . 

^ ■' Refenirfg now'to' Figure : 3', arid considering the'C6mputer afchitexture describedbriefly in Figure 
1 /the presentMnventibnls implem'ented with'programming whichrrelies on real time interrupts to break 
40 intd : a background prdgrarfr(BG) of self testing to performtutility programs which include operational 40 
" ' and self tests; and tb' , synch~rb'riize theSe utility programs With-a program of operation for the related 
DMA. The background progfiarrf bears no' Isynchfonizhl with the utility programs, or the DMA. The 
ba6kgrotiricJ pVograrri is interrupted repetitfvely^about 1 00-times per BG iteration. On the order of half 
' °of the computer time is^ed^forthe ba ckgrou rid prog rarn and half of the computer time is used for the 
45 utility programs, during duplex mode. This 'arrangement (as illustrated in Figure 3) provides for a solid 45 
intermix of background program self testing with utility programming, and with no loss of computer 
time whatsoever This is achieved without any close tolerance on the timing of the utility program, and 
with no relationship whatsoever between the background program and the utility program. A feature of 
• the invention is that, after full memory testing during initialization, only those portions of fixed memory 
50 35 and scratch pad 36 that are used in the simplex mode for inner loop stability (what the pilot needs 50 
most) is checked by the background program; the remaining memory portions are checked only by 
intercomputer redundant Comparisons. The utility programming is accomplished in five different type 
of interrupts, one being designated as MACRO SYNCH, the other four being designated as real time 
interrupts and utilizing a common entry and exit program (RT) for certain housekeeping functions. 
55 However-, other than the fact that each program is distinct, there is no difference between the MACRO 55 
SYNCH program and the real time interrupt programs (RT1 — RT4). But the fourth real time interrupt 
(RT-4I itself may operate any one of four sub-programs designated APO through AP3, as illustrated 
briefly in Figure 3. 

" The DMA macro program is organized to complete its entire repertoire in exactly the same time 
60 frame as exists between two of the MACRO SYNCH interrupts, which are carefully controlled by the 60 
master clock of either one or the other of the computers, depending upon which one is infinitesimally 
higher in frequency than the other. Since the DMA operates on the same master clock as the computer, 
it will remain synchronous with the MACRO SYNCH interrupts thereof. The timing of each of the 
individual utility programs may vary to some extent, but this is of no moment since the degree of 
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synchronization which Jth.e utility program must bear to the DMA is easily accommodated by the fact 
that the utility programs are synchronized once for each DMA program, by the MACRO SYNCH signal. 

The tables referred to in Figure 3 and presented hereinafter indicate an exemplary DMA machro 
program (the detail program for implementing the data moves illustrated in the tables being obvious to 
those skilled in the art), which may accommodate the types of programs described briefly herein for 
illustrative purposes. ' ? . 

It should be borne in hSind that the particular computer architecture, use of a DMA controller, the 
particular analog and digital input arrangements, and the manner of establishing communication 
between the two computers may be^modified in a variety of ways to take advantage of the present 
invention. However, further 'aspects of this inyentiqrrinclude some of the features which reiate to the 
specific computer architecture and reJationships r betvyeen the data link and certain of the related tests 
therein. These will become more Apparent in the following description. 



Source 
15 A/D 
A/D 
A/D 

DISCRETE 
C1/C1 

20 C1/C1 
SPARE 
SPARE 
SPARE 
SPARE 

25 SPARE 
SPARE 
SPARE 
SPARE 
C1/C1 

30 C1/C1 
C1/C1 
A/D 
A/D 
C1/C1 

35 A/D 



:DMA DATA MOV£ PROGRAM- rM&CRO SYNCH 



Destination 



C1/C1 
C1/C1 
C1/C1 
C1/C1 
C2/C1 
C2/C1 



C2/C1 
C2/C1 
C2/C1 
C1/C1 
C1/C1 
C2/C1 
C1/C1 



C2/C1 
C2/C1 
C2/C1 
C2/C1 



2 befiriiiioh^ 

LONG STfCK PCS ' :D 
YAWTRlivlPOS ; : 

:coll/irp POS 7 

F,B. STATS \ ; : 
F.B.. STATS 



C2/C1 
C2/C1 

C2/C1 



FAS OUTPUT CMD 
ROLLTRJMCMD " 
YAW TRIM CMD 
ROLL GYRO 
ROLL RATE GYRO 
GOLL TRIM CMD 
LAT ACCEL 



10 



15 



20 



25 



30 



35 



DMA DATA MOVE PROGRAM — -REAL TIME 1 





A/D 


C1/C1 


C2/C1 


DIR GYRO 1 J 




A/D 


C1/C1 


- C2/C1* 1 


YAW^RATEGVRO 




A/D 


C1/C1 


C2/CT 


1 5 VOLTlNTERFvlAL POWER^ 


40 


A/D 


C1/C1 


C2/C1 


DC BUS MONITOR 




A/D 


C1/C1 


C2/C1 


DISCRETE POWER 




A/D 


C1/C1 


C2/C1 


" 15V SENSOR EXCITATION : . 




A/D 


C1/C1 


C2/CT 


5V CPU POWER 




A/D 


C1/C1 


P2/C\ 


15V CPU POWER 


45 


A/D 


C1/CT 


C2/C1 


400 HZ AC POWER REF 




A/D 


C1/C1 


'C2/C1 


400 HZ AC BUS 




A/D 


; ci/ci 


C2/C1 


SYNCHRO CONVERSION TEST 




A/D 


C1/C1 


C2/C1 


SYNCHRO MONITOR TEST 




A/D 


C1/C1 


C2/C1 


1 9V OUTPUT DRIVE POWER 


50 


A/D 


C1/C1 


C2/C1 


RAD ALT RATE 




C1/C1 


C2/C1 




ROLL INNER LOOP CMND 




C1/C1 


C2/C1 




YAW INNER LOOP CMND 




A/D 


C1/C1 


C2/C1 


VERT GYRO (PITCH) 




A/D 


C1/C1 


C2/C1 


PITCH RATE GYRO 


55 


A/D 


C1/C1 


C2/C1 


LONG ACCEL 








DMA DATA MOVE PROGRAM — REAL TIME 2 




A/D 


C1/C1 


C2/C1 


VERT ACCEL 




A/D 


C1/C1 


C2/C1 


RATIO ALTITUDE 


60 


A/D 


C1/C1 


C2/C1 


BARO ALTITUDE 


A/D 


C1/C1 


C2/C1 


BARO ALT RATE 




A/D 


C1/C1 


C2/C1 


RAD ALT SET POT 



40 



45 



50 



55 



60 
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Source 
C1/C1 
C1/C1, 
5 C1/Cf 
C1/CT, , 
C1/C1 
•C1/CJ 
A/D 
10 A/D 
A/D 



A/D 
A/D 

15 A/D 
A/D 
A/D 
A/D 
A/D 

20 A/D 
A/D 
A/D 
A/D 
A/D 

25 A/D 
A/D 
A/D 
A/D 
A/D 

30 C1/C1 
C1/C1 



DMA DATA MOVE PROGRAM — R£AL TIME 2 



Destination 
C2/C1 . ■ 
C2/Ct. .. , 
C2/C1 " " 
.C2/C1- 

C2/C1. ' : 

C2/C1 
C1/C1 
C1/C1 
C1/C1 



- C2/C1 
C2/C1 
..C2/C1 



Definition 

. PITCH AUTOPILOT INTEGRATOR 
ROLL AUTOPILOT INTEGRATOR 
YAW AUTOPILOT INTEGRATOR 
-COLL AUTOP I LOT JMTEG R ATOR 
* PITCH INNER LOOP CMD 
COLL INNER L00P r CMD , .". 

: BIAS ACTUATOR. POSITION ^ 
AIRSPEED, , t 

n LONG STICK POSITION 



10 



DM A. DATA-MOVE PROGRAM— REAL TIME 3 

C1/C1 C2/C>, , SPARE A/D INPUT 

C1/C1 C2/CV SPARE. A/D INPUT . . 

C1/C1 C2/ai^c ^AftE A/D INPUT'.. 

C1/C1 C2/C.K- SPARE-A/D INPUT- 

C1/C1 C2/C1 SPARE A/D INPUT" 

C1/C1 C2/C1 GROUND-TEST D/A F.B. 

C1/C1 C2/C1 -ROLL TRIM COIL CURRENT (F.B.) 

C1/C1 C2/C1 YAW TRIM COIL CURRENT (F.B.) 

C1/C1 C2/C1 COLL TRIM COIL CURRENT (F.B.) 

C1/C1 C2/C1 ROLL SERVO COIL CURRENT (F.B.) 

C1/C1 C2/C1 ROLL SERVO COIL CURRENT (F.B.) 

C1/C1 C2/C1 YAW SERVO COIL CURRENT (F.B.) 

C1/C1 C2/C1 YAW SERVO COIL CURRENT (F.B.) 

C1/C1 C2/C1 PITCH SERVO COIL CURRENT (F.B.) 

C1/C1 C2/C1 PITCH SERVO COIL CURRENT (F.B.) 

C1/C1 C2/C1 -r, ,COLL SERVO COIL CURRENT (F.B.) 

C1/C1 C2/C1 , COLL SERVO COIL CURRENT (F.B.) 
C2/C1 .FA&CMND 

C2/C1 ' . BIAS ACT\JATOR CMD : 
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DISCRETE 


C1/C1 


C2/C1 






DISCRETE 


C1/C1 


C2/C1 




35 


DISCRETE 


C1/C1 


*.C2/C1 






A/D 


C1/C1 


C2/C1 


FAS COIL CURRENT (F.B.) 




A/D 


C1/C1 


C2/C1 ~ 


: BIAS ACTUATOR VOLTAGE (F.B.) 




A/D 


C1/C1 . 


\ C2/C1 


FAS DIFFERENTIAL PRESSURE 




. DISCRETE 


C1/C1 


C2/C1 ' 




40 


DISCRETE 


C1/C1 


C2/C1 






A/D 


C1/C1 


C2/C1- 


- HEADING TRIM CMD 




A/D 


C1/C1 


C2/C1 


ROLL STICK POSITION 




A/D 


C1/C1 


C2/C1 


PEDAL POSITION 




C1/C1 


C2/C1 




NONVOLATILE STORAGE WORDS BITE CODE 


45 


C1/C1 


C2/C1 




NONVOLATILE STORAGE WORDS BITE CODE 




C1/C1 


C2/C1 




NONVOLATILE STORAGE WORDS BITE CODE 




C1/C1 


C2/C1 




NONVOLATILE STORAGE WORDS BITE CODE 




C1/C1 


C2/C1 




NONVOLATILE STORAGE WORDS BITE CODE 




C1/C1 


C2/C1 




NONVOLATILE STORAGE AFCS ENGAGE STATUS 


50 


C1/C1 


C2/C1 




SPARE 




C1/C1 


C2/C1 




NONVOLATILE STORAGE PITCrf RATE GYRO NULL 




C1/C1 


C2/C1 




NONVOLATILE STORAGE ROLL RATE GYRO NULL 




C1/C1 


C2/C1 




NONVOLATILE STORAGE YAW RATE GYRO NULL 




C1/C1 


C2/C1 




NONVOLATILE LNG ACCEL GYRO NULL 


55 


C1/C1 


C2/C1 




NONVOLATILE MEMORY TRACKED LAT ACCEL NULL 




C1/C1 


C27C1 




NONVOLATILE MEMORY LAT ACCEL NULL 




C1/C1 


C2/C1 




NONVOLATILE MEMORY VER NULL 




C1/C1 


C2/C1 




NONVOLATILE MEMORY FAS NULL 


60 


C1/C1 


C2/C1 




NONVOLATILE MEMORY CHECK SUM 


DISCRETE 


C1/C1 


C2/C1 






DISCRETE 


C1/C1 


C2/C1 






DISCRETE 


C1/C1 


C2/C1 
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40 
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Source 
SPARE 
SPARE 
. SPARE 
C1/C1 
SPARE . 
C1/C1 
C1/C1 . 
C1/C1 
SPA&E 

ci/ci: 
a/d ; 
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Destination Definition 



Q2/C1 r> ' roll Ai/ropiLof cmnd 
C2/C i *"' " ::: ground test Word 1 

C2/C1 . .. . „ . e LINK TEST WORD * 

£'#ci v ;_ \ ; link test Word : v : 

C2/C1 .' . " — ] yaw Autopilot cmnd 
ci/ci : c 92/c 1 , f(qll TTliiyi eos 1 v 



Referring now to Figured, when the power is Interrupted, and restored, as is very 'typical- in digital 
1 5 processing systems, the power^n, reset function w??li force instruction handling to begin at a" program 
addressdefining an initialisation routine for establishing operating conditions and parameters through 
program entry 400. In the initializing, contents of non-volatile memory, which includes indications of 
the important status of the control system are restored into scratch pad memory so that the system will 
turn-on with the status indicators that were previously established. This is accomplished in step 401 . 
20 Along with various ether housekeeping functions, such as zeroing putof scratch pad- enabling fault 
indicating routines and the like, initializing* of various registers ;and hardware are performed Step 402 
places the executive program Jnto the non-service mode, aftcr> which a.fifty millisecond. wait is provided 
in step 403 to allow time for the system to r warm up and settle down, then interrupts are cleared and 
re^enabied jn step 404?- .. w^, : , . v - v - . . . . ^ _ p 

25 Step 405 enables a link wrap test of the type alluded to hereinbefore, by generation of a discrete 
signar which will transfer the link switches \55, Figure 1 ) so that C? will wrap around on itself during a 
link vyrap test routine 406, after which the data link is returned to its normal inter-computer 
configuration in step 407. The iirlk wrap routine 406 is net shown in detail herein, but is a simple data 
move by the DMA from : Cl/C1 (figure 1 through the wrapped link (55) to C1/C2 of whatever it was 

30 moving for later comparison by the CPU, in a very well known fashion. In test 408, should the link wrap 
test fail, a fault code is set in step 409 and the program branches to the disable self routine described 
hereinafter with respebt :to Figure 20, through routine entry point 410. r : 

On the other hand, if the link test does not faiX more initialization mav occur as illustrated in step 
41 1 . in some system control embodiments, the further initializing indicated in step 41 1 may include 
35 calculation of nulls and other factors to be utilized in translating the readings of various sensors (such 
as accelerometers in the aircraft control system described herein). Other initializing functions will be 
apparent to those skilled in the art in dependence, upon the particular control* system in which the 
present invention is,tQ be employed. V » \ * ' 

In test 412; the computer determines whether it has previously been disabled; the purpose of this 
40 is to test the driver power supply S3 (Figure 2) to chtck for a power failure of any sortf orshould the 
system be shut down in normal operation and then restored {such as for the emergency getaway of an 
aircraft) without first providing suitable diagnostics and niaintenance to cure the problem, the fact that.one 
or the other computer has previously been disabled must be maintained. It follows this routine so as to 
establish hang-up in a disabled mode as is described more fully with respect to Figure 20 hereinafter. 
Thus, in step 41 3 the fault code for disabling self isset, and the program transfers through point 410. 
In a similar fashion, if computer 2 is disabled, computer 1 must establish its operation in the simplex 
mode. For that reason, test 41 4 determines whether C2 is disabled by comparing against a flag, and 
if it is, step 41 5 sets a code to indicate that computer 2 is disabled, and the program is shifted to a 
routine for establishing operation ofcomputer 1 in the simplex mode, at program transfer point 41 6. 

If neither computer 1 nor computer 2 is disabled, instruction handling continues, to establish 
operation of computer 1 in a manner with its background program continuously running, except during 
the five real time interrupts Which cause performance of the utility programs, each program returning 
to the interruption point in the background program. The establishment of this operation includes testing 
the interrupt counter and an interrupt timer. This test is performed in the same fashion during power on 
reset initialization as described, as well as whenever transferring into the simplex mode of operation 
which requires reinitialization, through the simplex routine entry 41 7. To test the interruption handling 
features, a thirty millisecond timer is started in step 41 8, and the interrupt counter is reset in step 420. 
Then the interrupt counter is tested for its terminal count of 4 in test 421 . If it has not yet reached its 
count of 4, the interrupt counter is incremented in step 422. Then the determination of whether all of 
ou the interrupts can be handled.in the prescribed time is made at test 423 by determining whether the 
thirty millisecond time out has occurred. If it has, a fault code for that is set in step 424, and program 
handling for establishing disablement ofcomputer 1 is reached by routine entry 425. On the other 
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hand, if the time isn't up, then the interrupt counter is again interrogated in step 421 until such time as 
it reaches its count of 4, unless the thirty millisecond count times out first. 

If it does reach the count of 4 in time, then a signpost counter is set in step 426. Notice that the 
executive program has been in the non-service mode since it was placed there in step 402, 
5 hereinbefore. Assuming all goes well, at step 427 the executive is returned to the service mode, and 5 
then some initial built-in test equipment tests are performed in step 428. Although referred to as a 
step, it is most likely that the initiaj BITE test indicated in step 428 may involve t routines, whiqhare, 
however, not described elsewhere herein; X ". 

Next, the background job counter is reset to indicate start of the background job; more on this - 
10 with respect to Figure 5, hereinafter. The background job then performs a check sum test routine, and a 10 
scratch pad test routine, repetitively, in. a loop, throughout operation of the computer, in other than the 
disabled mode. Each of these background lopps^reVftgwever, interrupted about 1 00 times by the real 
time interrupts to perform utility program" service, Sorrl6 examples of which are described hereinafter. 
Of the five interrupts disclosed as exemplary herein, each of them will perform utility processing, and 
15 then returrtrto the background job as 3§pifct"ed'ih step'429 and rbutinesHSO and 431 ...During the real 1 5 
ti*me v 1fitferrur3tsand the ba6kgrduhd^ob;iH^DiVlA-1s'busylTioving datafrom the digital multiplexer 45 
r (incltidin^he A/D^ntf disrritetes) rfitb C 'f/C1 3Tnd-£2/G1 > or%pm^1/C1"m G2/C1,'4n-5ynchronisrh with 
the r^ai trnf>e interrupts; l -' < v '~'- n r.-'.ov r,ct. \ . : ; * .1 -c:. V:ii<- -:~-r) '•■ . , 

- -The bffsum check, of the critical portions of fixed memory 35 and scratch pad 36, performed 
20 ' repetitively ^e backsfrdund'rjrdgraf^ asftlustratedarthe bottom of Figure 4>- provides a significant 20 
amdunt'of storage testing ; a obrrfputer 1^ together wfth the instruction test (hereinafter), the Jikelihbod 
- -at any point ihiirhe is that corffpuielr l probably 3s 'operating prbperly, unless one of these tests indicate 
a failure WhicSH'failur^ is picked up as* described' more fully with riespect to Figure 1 5, hereinafter. And, 
these tefet are performed utilizing cornriutertfrne^in between the tomputer time devoted to the utility 
25 programs which provide system control with the extremely safe, reliable operation as described herein, 25 
..I and maximum CPU I utilization. ^ .r* rr^rl m «*r ; ro : ■•• ; 

* The first iaterruptin the §iec}uer|ce ^Jnterrupt^nqrities is caM MACRO SYNCH (MS);, with the 
program for thp MACRO SYNCH inteiruptJs to ; Figure 5, reached through 

. program entry 501 . the^interrupted,.progr^|^ status is.regorded in the usual fashion in step 502. , 
30 Supervisory Jnterjijprts are en^bted.in sfej> 503; th^s^^re, interrupts which have a higher priority than 30 
^ - the utility prograrrr interrupts, such ,3s the Josingpf power. Other critical factors } could also cause . 
.supervisory interrupts in any im pi ement^tipn pf the Jnyention. t .. r _ : ' 

The watchdog timer 56 (figure :.Hisxe$ei at rjeguJarjntervals ^ afterabdutj 3 it sets up an 
alarm indication (57, Figure 1) of the fpct .that something is hung up in theprogram, in a well known 
35 fashion; this js reset every 1 2.5" MS in i st<ep* 504.. tfi st!ep 505, the interrupt counter, which is referred to 35 
" hereinbefore with? respect to Figurl 4, isresfet so as to cause it to indicate that th^ next following . — ■ 
interrupt wiirbe^ Interrupt iMo; 1, a fdqtdrwhich allows the' interrupt counter to lag the signpost counter 
in a manner described hereinafter, iandWsq fo accom?hod^te five' interrupts while using a four-count 
interrupt counter. N3xt,'step 506' indicates that the ; MACr16 SYNCti intemj fit; counter is to be 
40 incremented, to keep track of how many MACRO SYNCHs have occurred. This is simply a long-delay 40 
- " timer of T2.5-MS which is used t& create long waits, andithelikei.An example is the 50 MS wait in the 
disabled mode, whichxan be effected :by four counts: of the MACHRO. SYNCH counter, 
c in test 507, the status; of Awhether the executive program 'rs serving interrupts or not, is tested. If 
:not, the signpbsrcounter, which in this* embodiment is a 4-bit counter, is reset in step 509. Then the 
45 executive is interrogated to £ee if it is in maintenance mode, in step 510, so that certain maintenance 45 
routines 51 1 may be performed. This status of the. executive program is controlled through switches or 
-the like by operator intervention. Returning now to test 507 near the top of Figure 5, if the executive 
program is in a service mode, the signpost Counter is interrogated in test 512. Since the last interrupt 
Should have been real time interrupt No. 4, and this counter is preset to four during initialization, the 
50 signpost counter should be set at 4. If It is not, then a fault code is set in step 5 1 3/ end the program 50 
branches to a routine for disabling itself through program transfer point 514. 

On the other hand, if test 512 indicates that the signpost counter is set properly, then the 
background counter is incremented in step 515 and is interrogated in step 5 1 6. If the background . 
. counter exceeds 2 1 , it has been in the same loop form more than 20 MACRO SYNCHs. This means the 
55 BG is taking too long, and is probably hung-up, and not providing the desired testing; so, step 513 sets 55 
a fault code and the program transfers through the program transfer 514 to disable CI. But if the 
background counter has not exceeded eight, the signpost counter is reset in step 51 7, which causes it 
to be set to 1 for interrogation in the real time Interrupt entry routine, as described hereinafter with 
respect to Figure 6. 

60 The status of this computer's operation (that is whether both computers are running in a duplex 60 

mode or whether this computer is running by itself in a simplex mode) is interrogated in test 5 1 8. If the 
computer is not in the simplex mode, it is therefore in the duplex mode and it can therefore perform 
those control functions which are allowed to be performed only in the duplex mode. Some of these 
functions are of extremely grave consequences which are allowed to be controlled only by two properly 

65 operating computers, and are not utilized in the event that one of the computers has failed. In the 65 
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aircraft control system described herein by way of example, such a program, as indicated by routine 
5 1 9, is the calculation of pitch force augmentation system parameters. Then, other routines may be 
performed which are hot too dangerous but are most important, and which may be run in simplex 
mode by a single computer. Examples", in the aircraft control system described herein, include 
5 calculation of roll trim (routine 520), calculation of yaw trim (routine 521 ), and calculation of collective 5 
trim (routine 522). Thisis ah example of one type of theifajl-operationai features of the invention; Then, 
the'status is again' interrogated in test 523, and if the coWputerSare both operating so that computer 1 
is not in ra simplex rnode, a link test routine 524 is-perfdrmed; this link test is different than the wrap 
around link test (405^-407), Figure 4) since it providesfor the DMA of each computer to send to the 
10 other computer (C1/C1 to C2/C1 ) data-of^a Known-pattern so tho other computer can determine . 10 
whether it sent it correctly 6r : not, including both true'and complement patterns, in a well known 
fashion. The link test is interrogated during the 4th Veal time interrupt; and if it ihdicatesthere is a 
problem with the link, the computers wilS be further tested as is described more fully with respect to 
Figures 15 and 18, Hereinafter. In addition to the link test, thefirst, low-half of each 1.2.5 MS MACRO 
15 SYNCH square* wave is verified as being in the low state in a^rnacro synch logic routine 525. ^ 5 

I This signifies the end of the MACRO SYNCH interrupt program, regardless of whether the.'* ; - :± 
computers are in duplex 6rsimpiex : fria<ie # and regardless of whether this computer !s in a maintenance 
or an executjv^ service mode. Thereafter, in step 526, the return from interruption handling is made 
possible by restoring ail of the^background program pafarnsters; and the system returns to the 
20 background program automatically through interrupt return point 527. * - ~ 20 

After completing the macro synch interrupt routine described with respect to Figure 5/ by means 
of interrupt return; the background program is' resumed; and it will pick up wherever it left off, - 
asynchronously with respect to the real time interrupts/ and assynchrohously with respect to the other 
computer. The only criterium is that the oversll-cycie time planning must be such as to accommodate 
3 ,25 as much BG self test as felt necessary. The present embodiment provides approximately^ 2 1/2 MS 25 
between MACRO SYNlCHs; only about 'half of; that time is utilized fbrthe interrupt, service routines, the 
remaining time being available for the checksum test arid scratch pad test. The background program 
may require 1 00 MS to run, but since it is continuously interrupted., it may require 200-MS to 
complete.* • . - : ■ : JS ..■ -.; . .v - ... ■■• 

30 As the background job is progressing, eventually asecend real time interrupt will occur (see 20 

Figare)3). This, and the next three, are referred to hereln.as "RT fBPT" and are anonymous insofar as 1 
Interrupt handling is concerned, but are resolved into.different programs by.the real time interrupt* 
handling (other than MACRO SYNCH) described J:y Figure 6.- All of the four real time interrupts are 
entered through the program entry 601, following which the particulars relating to the background 
35 program are saved in step 602. The supervisory interrupts (as described with respect to Figure 5) are 35 
enabled in step 6C3, and the real time interrupt request is reset in step 604; this permits any additional — 
RT IRPT to occur, if the real time clock is faulty, so? such can be: checked against the signpost and BG 
counters and the computer can be disabled. Tne.reaktime interfiiptcounter is then incremented in step 
605, to indicate that this will be RT 1 . . : • - ^ : . r :r < - v 

40 If the executive program is in neither the; run nor maintenance, mode as determined in steps 606 40 

and 607, the background program particulars are restored in step .608, the signpost counter is . .; 
incremented in step 609, and instruction handling: willtbranch back to the background program through 
interrupt return point 610. This short loop-will be used during hang-up in the disabled mode, described 
hereinafter. But if it is determined in step 607 that the executive is in the Maintenance mode, real time 
45 maintenance routines 607a will be performed. This eouldbe diagnostics or the like and is called for by 45 
. intervention of personnel. These routines are not described elsewhere herein and are not important in 1. 
the precepts of the invention. „ 

If the executive program is in the runjnode as determined in step 606, then the signpost counter 
is compared with the real time interrupt counter in test 61 1 to see if the programs are properly 
50 tracking. That is, the real time interrupt counter should say that we are entering into the one of the four 59 
real time interrupt programs that the signpost counter says we should be on. if not, then a fault code/is 
set in step 612 and the disable self routine is reached through routine entry point 61 2a. On the other 
hand, if the programming is on track, then the desired real time interrupt program is reached by first 
adding the real time interrupt counter to the real time program base address in step 613 and then 
55 branching to the resulting real time interrupt address through program entry point 614. Thus one of 55 
four real time interrupt programs, numbered designated RT 1 through RT4, will be reached and 
performed as described with respect to Figures 7 through 1 0 hereinafter. At the end of each of these 
programs, they return to the real time interrupt program of Figure 6 through a program return point 
61 6, to case incrementing of the signpost counter in step 609 and return to the background program 
60 through the interrupt return 6 1 0, as described hereinbefore. 60 
As before described, there are general tests being run in the background program in between 
service programs, which help to delineate the health of the systemi In addition, what is referred to 
herein as critical testing is also performed during the utility programs. One example is described 
generally within real time interrupt 1 as shown in Figure 7. Therein the program is entered through 
65 program entry point 701 , and test 702 determines whether or not the system is in the simplex mode. If 65 
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it is, this means computerl is going it alone, and all full authority operations are prohibited since there 
is no way to check computer 1 to determine that what it is doing is absolutely safe in the control of the 
aircraft, .lathe event that it is in simplex.rnode, it will therefore skip-step 703 which provides the output 
. . of the pitch force augmentation which has been skipped during tjhe JMACflO SYNCH interrupt as . 
5 ; described with respect to routine 5.1*9 in Fjgure ,5 hereinbefore.. However, certain less critical.but highly 5 
. desirabte control functiQn3>can be performed, $yen if the sgntro ^system is operating in the sirnplex 
mode, so that steps. 704-^206, can check- the<aecu,racy of an4 ; s¥nd ojtit trie trim-calculations made in 
steps . 520-^522 of \the t MACR0 SYNCH programy a.s described w^th respecjCio Fig u ret, 5 hereinbefore. 
Then/ <n-subroutfna-70>7,.roll inner (oop calculations areperforjnedvas are described fnore fully with 
10 respecfrto ; Figure 1 6 hrereisiafter/rTbis i&Qn.e of.tbe routines tJiqjUs illustrative of- what iis .referred to 10 
herein as-critical seff test^m which, $ests arp pe/fprfxiedjn -direct association with calculations which are 
related thereto, and which ean.deterrninerj>rpper. system h^ajth witKrespectithereto. Iq stgp 708 the 
C yaw infrer Foop ealsulatiorA ^isperfaxrtrecj 4 ;a 4 Rjctin step 709 processing of^fauljt and status cqdes for. 
display is pis formed; since this is fpytir^e^nd (Varies considerably independence upon £ particular * 
1 5 system being used and;the v features de§ir§d-l;herefor # ;it is not described elsewhere herein. Then the first 1 5 
. rear time interrupt returns t'hroi^rprQgr^-r^fn-7^ 0 to the real, time program of Figure, 6, and. 
ultimately to^he BQ-pfogrsrEU-c-rt aV;- •.; -. *ieri' ..A- < . . . 

In Figured reaUirne interrupt prog ran?. 2 is-reacbed through program entry.801 ; the first 
subroutine 802 in this program.hs $p*gheck the accuracy ,-of^and ithen send, out the results obtained in . 
20 performing the^QU inner loop calculation pf^ubrputine 701 Tri real tirnaprpgram .1 (Figure 7). This 20 

illustrates that calculations m^de during on^r^lj:im^interrup^are tested "arid outputed in the.next real 
\i . tims interrupt all Of the backgroun^rogram i tirrie between interrupts being available for cross talk 
. between-tbetfwo.oomputers so i$at4.i)e}r two results can be f cheqked without holding up the system. 
JhiCisronje-pfithV^ ^ . r 

25 proceeding, with background >heakh testing an£ MtiNty processing^ as to permit^heoking of Teal time, 25 
ion-line data for/frnrnsdiat§.use, andrvyitiimaxi^ , , , f j " f -■-;«..- 

After tfie r-dit inner loop output :sUbrdutine; -the yaw, inner loop calculated in step 708 (Figure 7) is 
outputed in subroutine 803 and a pitch inner loop calculation is performed in subroutine 804; Next, if 
test 805 determines that the fcompCiter^s^not^running in the simplex mode, a collective pitch inner loop - 
30 calculation ^ performed by subroutine SOS.rbtherwise; the collective pitch inner loop calculation is by- 30 
passed because this is used forattitude'hold;-anrautopilot£f unction which is not necessary to aircraft 
control. This type of function which isribt perfdrmed-inthersirriplex mode in order to provide a Iqtmnore 
BG testing per MACRO SYNCH, so That the confidence bfsirigle-comp uter, control over more essential 
functions (such as:$tick trim) may be maintained} The BGprogrammay brily require six MACRO SYNCHs 
35 in sirriplex'tnode, increasing its contribution:*© safetyrby about 25%; Similar type operations in. other 35 
utilizations of a control system within the present Jnventiortmay similarJy be by-passed as should be "* ,K 
apparent tO'those^skilled in the art^Then* subcoutinef809 checks the power supplies multiplexers and 
the like through the A/D converter 43 (Figure 1 ). This is an ordinary routine of a well known type which 
simply reads in voltages for comparison with norms; reads test voltages from dummy input devices to 
40 test the A/D, arid so fprth:Thfen,;thje sysfeni reverts through- progranrvreturnpoint 810 to the real time 40 
interrupt return steps illustrated 4 niF1igurei6^ahd theftto the BG program. * - : 

v rTeferring h"b^ 

, 901'. If test 9p2d^rrrtfnes tKat iidmptrfdr No."* 5 ! is, hot operating iri We simplex mode, then the 
. collective jnniSr loop calculatethih subroutine "806 ^(Figure 8) is compared and outputed in subroutine 
45 903'artd, a* second pitch forcS augmentation calculation is performed in subroutine 904. If computer 1 45 

is operating in the simplex mode, these subroutines are by-passed. Next, test 905 determines if the 
_ autopilot subroutine counter is zero. If it is, this means that the counter has advanced modulo 4 (as 
described with respect to Figure 1 0 hereinafter), and subroutines need doing only once in four 
MACRO SYNCHs are performed. Therefore, if the counter is at zero, pitch bias is calculated in 
50 subroutine 906 and the discrete input paths to computer 1 are tested in a routine fashion in subroutine 50 
907. v ~ * 

Thereafter an instruction test is performed in subroutine 908; this is an exercise program which 
utilizes a significant portion of the facilities of the computer and the scratch pad to perform various 
arithmetic and logic operations. Although an instruction test cannot test all of the scratch pad and fixed 
55 memory, test relating thereto are repetitively being performed by the background job program. 55 
Between the instruction test 908 and the background program test functions, nearly all of the CPU is 
self tested. Therefore the likelihood of a CPU failure is extremely small unless detected by the 
background or by the instruction test subroutine 908. 

Following the instruction test subroutine, the built-in test codes indicative of various status and 
60 fault situations are stored into non-volatile memory where it will be retained even in the case of power 60 
being shut off or power failure. Then, the program will advance through the real time interrupt routine 
as illustrated in Figure 6, through program return point 910, and back to the background job (Figure 4). 

Referring now to Figure 10, the fourth real time interrupt is reached through program entry 1001 
and if test 1 002 determines that computer 1 is not operating in a simplex mode, it will test and output, 
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in subroutine 1003, the pitch force augmentation calculation (B) which was performed in subroutine 
904 (Figure 9). Otherwise, test 1 002 causes by-passing of this step when in the simplex mode. 

Then subroutine 1 004 compares and outputs the pitch bias calculated in; subroutine 906 (Figure 
9) In step 1005 a servo counter is set to fourth, to keerS track of four successive tests of four servos, 

5 hereinafter, Also, step 1 006 sets acbunter relating to the four FAS/trim servo valves to an initial count 
of four for a similar purpose. Then the feedback test addresses set to the address for testing servos in 
' step ' 1 007 and the feedback subroutine T008 is performed oh the servo designated by the feedback 
address. The feedba'ck'tes't routine 1 008, as is described'mbre fully with respect to the output circuitry 
herein compares the actual servo valve cu'rrents '(by yoltage on line 48a, Fijgure 2, for instance) 
10 employed to cVhtror the aircraft (in response to the cbrhmaridsdf the control systejm bftne present 
invention) with the cbmmanbs'dive'n thereto, tds*ee if there is proper response in the entire output 
system This is one of the prihcip^al teste 6f the present invention which allows completely safe and 
accurate degraded operation, or the fail-safe shutdown of faulty portions of the system if necessary. 
After eacfifeedbatiR test fotaineT008;tne s6rV&;'<^n<kV decremented in step 1-009 and. the 

1 5 feecJback' test address is incremented in step 1010. vVhenHest 101 1 determines that all of the desired 1 5 
feedback tests have been completed by an indicatidn'that the servo counter has been decremented 
back tb'ierb, fiiriher. feedback testing c^-s#rtfc*l8>mMa^. OTd-thelf^ack 1 ^ address 
the base address for feedback testing of the FAS/trim servo^aiyes in step 1 01 2. Then the feedback 
test is again performed by subroutine 1013, while decreiiientirig test address in step; IpVB. vyHen test 

20 1016 indicates that all of the FAS/trim output. valves have been feedback tested, the program - 
advances to set the feedback test address for testing of the pit8h bias actuator in step 1 01 1. and the 
feedback test is again performed by subroutine .101 8. But since there is only one of these, there is.no 
iterative testing required as' described hereinbefore. "" . _ '.. 

Then a MACRO SYNCH status test B is performed (h subroutine 1019; this test simply checks to 

25 seelf ihe 12 5 MS MACRO SYNCH square wave is noW'in its second half, indjeated by a high levej (the 
low level is verified ^subroutine 525),thein; rnajotfauTt logic is performed in subroutine ;1 020, as is 
described in derail hereinafter with respect to Figure Tt... . ti " ., . - ■ . 

'' Successful completion of the major fault logic subroutine will cause the autopilot counter to be 
incremented mpciulo 4 in step 1 021 , followed by a branch to 'an iautopilot subroutine address as ... 

30 indexedby the.autopilot counter, through .program' e.ntry point 1 022. This; will cause the program to , : 30 
1 perform one of four autopilot programs that are designated 0 through 3 as described more fully with 
respect to Figures 11—14 hereinafter.' This permits performance of each of the autopilot programs 
only once for each four MACRO SYNCHs. a different one being performed in each successive 4th real 
time interrupt. Thereby, logic functions that are not too critical.and shpuldn;t take up tool much 

35 program time, will not unduly delay the real time response capability of a sophisticated, fail-safe and- ; 35 
fail-operational control system ofthe type disclosed herein. rt ... , 

Referring now to Figure 1 1, the lowest-ordered automaticpilot subroutine is reached, m every 
fourth one of the fourth real time interrupts^' through program entry point 1T01. In this program. . 
subroutine 1 102 performs discrete word proces§ing;The DMA's will have entered discrete words (e.g. 

40 from 50 and 51, Figure 1 ) into C1/C1 and C2/C1 , and into. C2/C2 and C2/C1 ^respectively, from time to 
time. Then each computer compares its discrete inputs with that of the other (C1/C1 with C1/C2; 
C2/C2 with C2/C 1 ) to see if they agree.'lf not) several passes.a're permitted before a code is sef. 
indicating fault. If they agree, each computer transfers the discretes? for its use (frornC1/C1 to scratch 
pad 1 , and from C2/C2 to scratch pad 2, respectively). This is not described further herein. In 

45 subroutine 1 1 03, one set of panel logic is performed which provides updated status to an operator . , 
controlled panel/such as the. cockpit displays in an' aircraft in the exemplary system herein. These 
comprise simply nytputlng (oh CPU output bus. 6 1 ) to 'the control panel, where the status words of the 
two computers are OR'd and converted for display. In subroutine 1 1 04. a number of status checks 
relating to both simplex and duplex operation is perforrhed. These are status tests and checks such as 

50 determining if the roll trim system may be engaged based upon other discrete indicators.such as . 50 
hydraulic servo status, computer test fail/operational status, input sensor fail/operational status and the 
like. Further examples are described with respect to Figures 1 6 arid 21 . hereinafter. In subroutine 
1 1 05. Euler coefficients (sine and cosines of the vertical gyro outputs) are calculated for use in 
converting earth coordinate data derived from the vertical gyro into aircraft coordinate data, whereby 

55 the vertical gyro can be used as a source of current information for checking one set only of rate gyro 55 
inputs in the case where the rate gyros of either computer have failed, as is describedjmore fully with" 
respect to the roll rate inner loop calculations of Figure 1 5, hereinafter. Then, this program goes back to 
the real time interrupt routine steps of Figure 6 (and thence to the BG) by means of program exit point 

60 1 1 ° 6 in Figure 1 2. the second of the autopilot programs, which is Performed only ^once * for .each fourth 60 
one of the fourth re^l time interrupt program, is entered at entry point 201 . If test \ 20Z determ nes 
that both computers are still running, logic similar to that described with ^P 6 ^;"^^ 8 "^ 
but needed only in duplex mode, is performed in subroutine 1 203. This log.c is not performed when .in 
the simplex mode. An example of this type of testing is engagement of the roll autopilot function Then, 

65 additional panel logic functions to provide display information (like those of subroutine 1 1 03) are 65 
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computer 2 has sent so it-""" " H£-£j>?£_334_A 
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30 



35 



mode r tr Upts ' ^"?Puier c 1 may P ter;2 does disa °'e itself a ft»; Deeorne disabled 

the pass counter 1 524 Is illustraLri Frn he d ' scr ePancy between tesM sL a w Chrosynch interrupt 
'ncrement/ng, the testino of t?'. 3 shQrt *"wi form which is m«5k " d t6st 1 522 - Figured 5 
and 152-1. hereinbefore ?o£ e ^ 
25 *«med off by.means of the^?f^ Wunt feexc^^X^^ct to' Items 18t7 1518 

30 a resolve »W?22^%3^ ,n F, ' 9Ure ^ ^S^™ ^ inte -S«e the result^f 

fourth realtime interrupt rou |r^ c I?; But ' f ^ 
SU brou^ 0 ?r^^^ 

then the average of the .tv-nic,, J^f feed,n 9 computer 2 !fth=vJ? uter 1 a 9 re e with, the inputs 
(Figure 1 1). | f one orthe othP-n7 k ' ' nd Averted toaircra^o ToU axis ' diff erehtiated in ; 

«°u°,e failure. ^ dUp ' e * "P^on *vhich is *n^^^ a «2f ? importa^aspect of 
55 augmentation c5cula\?™ irnr " e diately tosTiS^lf 1 ha ^ previously been ■ 

OU J 603 ' as hereinbefore But if ^ 6t no 9° od step. 1 606* »n,l s 'mplex mode as indicated 

gyro 7 and rolf rate gyro 2, and 
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an average null js included in this caiculatiorvin step 1 609. But if test 1 608 fails, then a pass counter 
1610 is .incremented, and until the pass counter is exceeded, this and successive iterations will utilize 
the previously calculated value of RRT in steps 1 603 et seq^Howeverv once the pass counter has 
exceeded its count, test 1 61 1 will detenmineJf it is all right to'doa pseudo roll rate calculation utilizing . 
5 the pitch and. roll axes of the:vertical gyro, the-yaw axis of the directional gyro, "and the Euler ( ' : 5 
coefficients which have .previously been prepared in-subroutineM-TOS. If it is possible; then subroutine \ 
1612 will calculate a pseudo. roll rate and test.*T61 3 will determine Which roll rate gyro^is closest to the N . 

pseudo rate. If rail rate gyro^l is closest to the pseudo rate, step 1 61?4 wttJ set roll rate gyro 2 as no 
good, and test 161 5 wili determine if roll rate gyro- 1Ms within tolerance of t^epseudd rdirrate. If not, 

1 0 both rolj rate gyros will be set as no gpod.irr step 1 6.1 6 and the program' will* pass through without' 1 0 

performing any calculations and without resetting any erf thevdOtputs from this calculation" (such 
• .settings being described hereinafter)^On the- btheV 'hand, if te&t 1615 shows that roll rate gyro 1 is 
within tolerance of the pseudo rate; 4h6rt the rprogramwil^pass dUt without perform rng a riY functions. 
rThe.reason for this.is that several fa u It f cbdes,»a"s : well as the status- of the' roll-rate' gyros being good or 

1 5 no good, must be set during this subroutine, dnd'stettmg of codes consumes too' much 'time to leave 1 5 
sufficient timefor the calculation*. Therefore pthe outputs at the' bottom -of Figure 16are left^dne in 
.such a case in. this one iteration. - 'L"-" " l^t s : < - - ~ 

v - If test 1 61 3 shows roll rate gyro, 2^ to be closest to the (Jseudb fate^theri step 1BT7 will' set roll 
rate gyro A as no good, and roll rate gyrd^is'oomparecl fbr tolerance with the pseudo rate' in test 

20 T.618. If. Tt fails;, both gyros are -set as norgood in stepT616, as" before, and in eitherevent the program 20 
passes out without doing calculations orupdating the outputs. ■"'**"?. : ~* 

If in 1 test 1 607. roll rate-gyro *2"is determined:to be^no good, RRG is set to RRG1 . Then if test 1619 
shows that is not possible to calculate apseudo rate,thfs factor4s indicated by setting both rofirate 
gyrdsto no good in step 1 616; and passing -through the program^ without any calculation, if test 1619 

25 shows that a pseudo rate is possible; it is.dalcuiated. in subroutine* 1 620 and then compared in test 25 
1 62 1 with RRG. If they are within tolerance of each other, then in step 1 622 the new roll rate value 7 
(RRT) is taken as RRG, which could be-atrTe'rRRGI orflRG2, and the program pas^^s to the 
calculations of steps 1603 etseq./ I , ' -T' r " 

If the pseudo rate is not wit hlrf tolerance* of roll rate gyro t in step-1 621 , then a pass Counter 1623 

30 is incrementedjand the program jumps to* the calculations of step 1 603 erseq/Cising the last value of 30 
RRT for the calculation. When the pass counter has been exceeded, tiowev^r, both gyros-are indicated 
no good in step 1 61 6:and the system will pass oeit without any calculations or updating of thVoutputs, 
as described hereinbefore. * r» . " ; . - : ^ ■ - 

: ; -x-' . -Assuming that step 1 603 is reached; calculations are made therein and, in step 1604 limits may 

35 be applied-thereto, and in step. 1 626, results may betaded in when first estabfishing~folUate control, or 35 
iaded out when roil rate is being turned off duerto one of the^pseudo or roll rate gyro failures described _ 
hereinbefore with respect to Fig ufe 16,: or because the: related control system has been turned off by an 
operator^ w * ; . •■•.*« jv . * I. : 

, . Once the new calculation has been.generated, limited and faded as necessary, test 1 627 

40 determines if the feedback test for therolHnner loop varve 68 .{Figure 2) was corripleted successfully as 40 
may hayefcieen performed in test 809. If so,.then test,Td28 determines if computer 1 is the simplex 
mpde, and if not test 1,629 determines :if the similar feedback test for computer 2 was successful : if so, 
then there i? a, new. output which is to be utilized* in supplying one half of the necessary command to 
thecoii 68, (Figure Uand computer 2 will provide one half of a command to coil 70 (Figure 1 ) so that 

45 computer 1 not only.provides a one half command value to coit68, but it also provides a one half 45 
, command value to the DMA data link for pickup by computer 2, such that computer 2 can compare it 
with its output to see if accurate. This comparison- is done in the next interrupt, as is described more 
fully with respect to Figure 1 7 hereinafter. 

• If test 1 629 showed that the computer 2 roll inner loop feedback test failed, then computer 1 

50 knows it should supply sufficient current for a full command to the coil 68 (Figure 1 ) because there will 50 
be no current suppled to the coil 70 (Figure 1 ). In this case, it is also known that computer 2 should 
have sensed the failure since it provided the status of failure to computer 1 ; and therefore, a zero is 
sent to computer 2 via the DMA data link for comparison with its assumed zero output. This is 
accomplished in steps 1 632 and 1 633. 

55 If test 1 628 determines that computer 1 is in the simplex mode, it obviously is getting no help 55 

from computer 2.and must send a full command to its output via step 1 632. Although computer 2 is 
disabled at this point it is just as simple to send a zero to the data link in any event. 

If test 1 627 determines the computer Vdid not have a good roll inner loop coil feedback test, 
and test 1 634 determines that computer 1 is not in a simplex mode, meaning that computer 2 is still 

60 calculating, and if test 1 635 shows that computer 2 has not shut down the roll inner loop channel 60 
because its feedback test was o.k. the last time it was made, then computer 1 will set a zero to its own 
output but will send the full command which it calculated over to computer 2, via the DMA data link, so 
that computer 2 may compare its output therewith, in steps 1 636 and 1 637. This is the converse of 
steps 1632 and 1633. 

65 But if test 1 635 shows that computer 2 has shut down the roll inner loop channel altogether, or if 65 
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i « P -7 S ♦ P WS J* computer 2 isn 't even operating, then there is no roll inner loop channel (test 
1 627 determining that computer 1 's output coil 68 is improper), so that steps 1 638'and 1 639 will 
send zero to the output and zero over the data lihk for comparison with the calculation of computer 2 
Jlot.ce hat steps 1 638 and 1639 coulo be operative even in the case where the roll-inrierToop is shut 

tZSXHSS? h 62 J 1 63 ^' E" 4 dont, "* ous comparison of their calculated results can be u eSl 5 
because if they don t compare in Rgure 1 7, whether or no their outputs are going^to be used this can 
cause both computersto disable trTemse.ves; potentially, thisedds a grester margin of^afety to Jne 
remaining functions being performed by the two computers when' in-the duplex mode, even though one 
complete output channel as-failed. ' ••• C ■> , . ;: * t ... v ,.; ■ ,. ^ »iuugn one 

1 °" 'J^l* d ^ b ^^ y -^*L f,b ? fon ' With ' esp ** to R 9 ufe * 7 and 8i - the roll innerloop calculation 1 0 
which is performed dunng the first realtimeNnterrupt is corhpared With:that of the- second computer 

fnSlK. Ut| f ed " , ? r a6taal us ^ 'nits roll servo valve during the next real time interrupt as shown 
in Figure 8. The roll inner loop output subroutine 802 is shown in detail in Figure 17 Therein this 
_ . subroutine is entered through pfagramehtry point 1 701; TeVt' 1 702 determines if computer 1 is 
15 opiating alone, in the simplex mode; If It Is; rtfc obvious' th* there' Is no-ether calculation to compare 15 
with, smce computer^ ear\t provide one. It therero;e jumps down tb-step 1 703 to provide the " -■ 

in the simplex mode, then trie roll command calculated rn'ccrhputcr'1'as described in Fiqure 1 6 is 

20 time been transferred by the DMA data link tc computer 1 ?ff the two calculated commands are 20 
■ L •!! ^ eq ^'.^ h ^ fch othe> ' th en the output istransferred^to the servo instep 1 703 as described 
hereinbefore. This is the computer 1 output which has previously Been determined (step 1 630 ' Fiqure 
1 6) in sucr, case to be one half of the total command, which is aided in the servo by another half 
25 £!T„TE J?h com P ute \ r . 2 ' In cortrast yvhen'in simplex operation, the calculated output will have 
*o been left at full command (step 1632, Figure 16). ' • •'• ' 7 * ~ 2 5 

^..iK^Tr.^* 8 * 1681 , 1 J°^ dete ^ nin es that the two results do not agree with each other, a pass 
S 5i S, 5 JH ,nCremented T d *fP 1 703 ^ ^Passed so tfcatWe ofd command (stored in S/H 85, 
Figure 2) is used one more time. In this case, the pass counter is setto a very large numbersuch as 24 
30 *° al,ow a complete BG program. If more than the selected number of failures dccur in test 1 704 the 

V ^ n £ nteh < - e ?"^ m th ~"9" h Program'iransfer point 1 706 to a subroutine for disabling 30 
both computers. The reason for disabling both com P uf 6 rs;at this point is that everything else having ' 
checked, a failure i tc , compare calculated results is an indication of trouble at the heart of one of the 
computers which affects its ability to calculate. Each CPU is only checkable by its own self testing 
which should have disabled the faulty CPU before now. And since this failure to agree hafbe^n sensed 
ISS V" ^ has no way to trust computer 2's Word for the fact that computer Z^iSSS* 
SSf, ,^ ay i- Wr °^' u an '"HJortant aspect of Ihe present invention comes into playyand 
computer 1 decides that it will have to take both computers'off line, in program transfer point 1 706. 

1 704 ^K* ,e P3SS °° Unt - h88 l been and good comparable results are indicated in test 

40 1 704 ' then the pass counter may be reset; in this base, however, it is not allowed to be reset If the 

KTiKSSSP C h 1 .. and C2 is due to their butputs'being limited (as in step 1 626). The reasbn for 40 
£ll 704 « being passed due tfa limiting, butharf previously failed, this factor must be kept 

track of because it is .nd.cat.ve of a likelihood, of fauftVbperation. So step 1 707 determines if the pass 
■ i ounter 13 We, test 1708 determines* the values are on limits, and bEly if not will Sep .1709 rese? 

fnnno^t V ^ Ugh P"" 09 ?^ * anSfer p0int 1 70( ?' the ^ ram wi " "irately return to the yaw inner 45 
loop output subroutine of Figure 8 through program transfer point 1 710 ' - - ' 

SYNCH S rnt» S |^ ed h . e 7;' nbef °^ wi th respect to Figure 5, in the programming within each MACROS 
tlTS fnr /I P ' • K te - S l 5 ¥ IS - D ? rfc,rm - ed < in which each DMA sends the "other computer data over 
50 ^nlTZJS^^T^^ * ? h -° Uld bS the ° ther com P* er - During the major fault logic of 

Jl ° f th . e .i' nk teSt ,S interrogated in test 1 523. If the link test failed because of the. 50 

fact that either computer did not agree with the data which it sent or received, then the resolve link 
2E5o"i ' S e n tered , 8t V/ nsfer P° int 1 53 1 ■ This sub ^tine, entered on Figure i 8 in program eSr/ 

test on MTi^^. P ^L'^ thB " nk t6St fa ' led ' by havin 9 com P uter 1 do ■ «•* wraparound 
cc 2S °" ' tse ! f and determming whether it passed or failed its own test At the same time, computer 2 

win Jl v 9 . B !. nm9; after wa 'ting a while, if computer 1 hasn't decided that it was bad it 55 
2 mr P M r „ 2 h k asde u cd e d thatlt,instead,isbad.Butifneithercomputerfindsitsow^ 
d«n h f ° bS bad ' rt th6n the situation is indeterminate, and computer 1 will resolve it by 

?hat 1 5 -SihUH^' % ° ther ^ nd ' ° f C ° mpUter fsav3 that rt is °- k - and ^mputer 2 has by 

60 as ^Tht S ?1 ,tself '.tnen computer 1 will transfer into the simplex mode rather than disabling itself 

mv W ntk>I 6XamP P fail-operational characteristic in accordance with one aspect of the 60 

turned on ^tfZ'^ en 7 ert !i e d3ta " nk ? determined t0 be °ad, the force augmentation system is 
computers IS nrtnn * Z 3 ?a permanent| Y in ste P 18 °2- because if the problem isn't resolved, both 
65 ITS T*? Shut d ° Wn anvwa V: and if it is resolved in computer 1, computer 1 will be in 
65 simplex mode, and force augmentation is not permitted in the simplex mode because the excessive 
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authority capably can be catastrophic and is not permitted unless there are two-computers to check 
eaph other. In step 1 803, the executive is set into the non-service mode because this program will 
resolve itself by shutting down^one or both computers or transferring into the simplex mode; if in 
simplex, re-initialization must first take place; if this computer is shut off, ail work is done anyway. In 
5 step 1 803a the data link is set to the wraparound state (55, Figure r f ), and subroutine 1804 performs a 5 

link wraparound test between the two-DiyiA msrppries which are within computer 1 . Then in step . 
- 1 8Q5 the data.link is.re^tQr^d.to norrjiai, inter-compute reconfiguration. If computer 1. determines that 
its link wraparound test was no good in test 1 806, it will set an appropriate code in step. 1 807 and 
disabieatsejf by transferring to the. disable.;seif subroutine : through program jtransfer poipt 1 808. This is 
10 .consistent vwith e.ac*vcqmp*Jter determining its owaheajth and not relying on, the other computer to 10 
detQrm^neits, health, s'mqe if computer 1 says its own wraparound test is no good then computer 1 
puts itself off line. ' - ;•; K % , ; r * ■ c - • - . . . » < v 

litest -V806 shows -that co mrputer.l made a good,wraparoiind test, ( it then waits 20 milliseconds 
r , . jn^tep 1 SO^Q^Rermit adequate t^e : fw computer 2, /which is.not running synchronou§iy,,bther than 

1 5 on armachrp^ynch basis) to peffprm. ; its own link : wrap test ancj to disable, itself, if it is^faulty. .In test 1 5 
e 1 810; ifpomput^ unresolved failure of a data iinlctest, and an 

inabiiity/of.eithisf com"put§i: tO;a$sume ^eilame: Since, ia with the invention, neither/ 

^ cpmputeris pllqw^d to-fupction unless it^i? absolutely certain that.it pan do. so, and if the two 
i* computers disagree as^to whpseJFault the I inkiest is,, then the irresolvable problem is solvect by setting 

20 -a proper cod? in step-1 803 anjcj entering tfte dfs^bje both subroutine through program transfer point 20 
. r 1*812. On th e. other ha,ncK : if computer 2>has adjnitted fault-in test 1 8J 6 by disabling itself ancf sending 
an appropriate o^tjcef th^eof to cpmputer ,1 , then computer 1 will set an appropriate cocje in step 
3 and w/tfl srrter the simplex mojde of .operation. thrpugh program transfer ppjnt 1.81 4. 
in Figure 1 9, the simplex subroutine is entered by prpgram entry .1 90*1 and in steps 1 902 — * 
•25,^1 ?05, an appropriate cp€)§ iSjpet, all the pa^ courvters ar^e resgt, the executive is set into the non-, 25 
^service, mode /this will be reestablished in the reinitialization 6t Figure 4 into the service m(?de), and 
„ : new acGele/-pmeter nulls are provided.,When in the. simplex mode, the null is not perforrnedon an 
- average basis combined with trje average of two sensor jnputs r but only in a straight basis for one 
; l ^ sensor input. Therefore, the;average-null accommodate two sensors has to be substituted for a 

30 single null for the, particular sensor to be used in the simplex mpde. And then. the routine is transferred to 30 
re-initialize, as described with respect to Figure,4, through the simplex return program transfer. point 

1906. : ' , , ■ * ' 

Referring, now to Figure 20, the?disabling of computer 1 can occur either by. entering through the 
\ disableself pfogranruentry 2001 or by means of the disable both program entry point 2002. the only 
35 difference between these is that bothlflags are" set in steps 2003, 2004, if entered at. 2002. After* 35 
identifying whether the disablements just for.self or for both, a number of additional program steps >~ 
-^piace trip. computer: into . a condition to lock up jn a disable mode. A word is set up in step 2005 to be 
" passed to the putput of computer 1 as r well as to.whateye redisplay is involved with the control system 
in which the invention is being practiced, such as pilot displays in the present exemplary embodiment. 
40 This word, -which lnclude§.the s f lags set by step 2003 and/or 2004, is then sent in step 2006 to the 40 
output circyitry described with respept tp Figure 2 ; to control, the shutting down of the outputs 
commensurate with entering into the disabled mode. The real time interrupts, including macrosynch 
arid tb.e other four real time interrupts are Jhen. disabled in step 2007, and then the critical codes that 
identify those characteristics of the current status of the system which willTbe of interest to operators 
45 and to maintenance, a hid which must maintain control of the system in the event that there is power 45 
down during ^disablement, are sent to the nonvolatile memory so that they will be preserved even if 
- power is lost. This is accomplished in step 2008. Then in step 2J0O9 the displays are set with the words 
provided in ( step 2005, hereinbefore. All sample/hold circuits at the output are set with zeros in step 

2010, and all outputs are turned off (physically opened) by discrete removal of relay connections 

50 between the output drivers and the actual valve control coils, or other output actuator devices, in step 50 

201 1 , as is described more fully with respect to Figure 2 hereinbefore. And then computer 1 will hang 
up in a program loop which includes waiting 50 milliseconds (2012), moving any codes that should be 
placed in nonvolatile memory (201 3), and moving codes to the maintenance display. In other words, 
the only thing that the computer 1 can thereafter do is to respond to human intervention, and a power 

55 on reset. 55 
Referring now to Figure 21 , the calculation of fade-in, fade-out coefficients alluded to briefly with 
respect to Figures 1 3 and 1 6 is performed in a subroutine entered at routine entry point 2101 . If the 
stability augmentation system is on as indicated in step 21 02, the servos are on as indicated in step 
2 1 03, and neither roll rate gyro is no good as indicated in step 2 1 04, or even if roll rate gyro is no good 

60 as indicated in step 2205 but computer 1 is not in the simplex mode as indicated in step 2206, then a 60 
fade-in coefficient calculation (to be multiplied against a calculated value) is made by starting with zero 
and adding a delta to it in a subroutine 2207. This calculation may go on forever, but whenever the 
fade-in coefficient reaches 1 , as indicated in test 2208, then step 2209 forces the fade-in coefficient to 
be equal to 1. 

65 Negative results on any of the tests 2102 : — 2106 indicate that the roll inner loop which has been 65 
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calculated (or such other parameter as may be faded by means of this or a similar subroutine) must be 
reduced. from som Rvalue slowly down to zero, so that a fade-out calculation is involved by subtracting 
a delta from T on each iteration in subroutine 281 0 until the coefficient reaches zero as determined in 
step 281 1 ; thereafter the coefficient is maintained as zero by step 2812. 
5 . If the fade-in/out constant is zero, as indicated in test 281 3, the roll inner loop is turned off at: 
step 2814. If the step 2$ ;i 4' is Involved to Shut off the roll inner loop, this may be accomplished ; by 
providing a 5uitable discrete 6 relay^contacts 96, as 

described hereinbefore^ shutdown. of a channel to ? 

operate in a degraded.mode/indepen^ 
1 0 mode. It should be. pointed out tflat many of the tesis"2 1 02— 2 1 05' may be performed* in the <: 
: simptex/duplex operation status ; subroutine 1. 1 d4rand a'combined result used in the fade-in/out r 
calculation of Figure 21 



10 



15 



Completion of the fade-iri/guj calculation of Figure 21 , ^hd^imMar other calculations for other 
functions requiring fade-in or fade-out. Will cause the'prb&rarrl ib return through program transfer-point 
1? 1306 (Figure, 13). ,. . r . 

■ The foregoing description o} an dvefalj dual^omputer ^ system controlling aircraft servos 3 
fhas.included a general programming and di/ect memory access outline, arid specific subroutines for 
performing functions particularly/elated be 
understood that, although the invention^ rmpiemented milizing the Hamilton Standard: AFCS 

20 53E C-MOS processors with suXtgble.appaVatab a£ disclosed herein so as to form a dual computer- 20 
control system, the processors may be tered'yhe TDY-43; or similar other processors. The particular . 
program provided for the computers is, of bourse, dependent upon the r architecture- of the computers 
chosen for use, but in the Might pi the teachings heVlein; the invention may be implemented.with 
standard programming techniques. Although theinventipri is described in terms ofa dual computer 
25 system, it should be underatood r that th_e pretepts phhe invention are fuiiy applicable to systems 25 
haying a higherorder of re^undanoy^ F6r iristance, thfe¥ or'more systems may be interconnected 
utilizing the teachings pf the invention. In >uch a ca^; the simplex status would occur onlyln the event 
of there being no other system in .an .operational mode; resolutioirof failed input units could be 
achieved without ( use of a pseudo input (such as that described with respect to Figure 1 6 herein), there 
JU being adequate input upity.for checkinq arnong theiystdms themselves; and results may be:compared 30 
as between any two or more systems, depending ufcjon the constraints of program storage capacity/arid 
CPU prpcessing,,jime, as well the,number of systems in use and not disabled. However, it is deemed 
that the applic^tionpf the invention to such hfefter ordered systems is within the skill of the art in the 
light of the teaching? herein. Similarly, ^Itridugh.the invention has been shown and described with 
35 respect to an exemplary embodiment thereof,, it should be understood by those skilled in the art that 35 
the foregoing and.various other changes, pmissronsind additions in the form and detail thereof may be * 
made therein and thereto,, without departing from th^ spirit and the scope of the invention. ~ 

Claims '/ " \ ' ; _ " \ ; • < f ■ 

. 1 • A multi-computer process pontrql system in which each computer comprises: 
40 a plurality of outputs for cpntrbn^ '; <. > ;. f ... 4Q 

a plurality of in puts, providing data manifestations related! to the control of said process, 
a data link for providing data communication' With another of said computer systems; - t 
a disable connection between it and another of said computer systems; and < ' 
a program of instructions for providing a plurality of self tests including bit by bit tests of at least a 
^5 portion of the memory relatecito an important portion of said process, reading in of data from said : 45 
inputs and calculating result manifestations; receiving calculation manifestations across said data link 
from the other of said computer systems, comparing the calculation manifestations of both computer 
systems and, in response to comparison_thereof, providing said calculation result manifestation to said 
outputs, or alternatively providing an error manifestation if the two calculation manifestations do not 
bU compare, disabling said computer in response to one or more of said self test fault manifestations, 50 
providing a manifestation overpaid data link to indicate to another of said computers the fact of said 
computer being disabled, registering the fact of the other computer system being disabled asprdvided 
thereto over said data link, by-passing the portion of said program for comparing calculations in 
response to a status manifestation indicating that the other computer has disabled itself, and forcing a 
disabled status in another of said computers via said disable connection in response to said error cc 
manifestation. 

2. A multi-computer process control system according to claim 1 in which said computer system 
each include feedback means associated with each of its outputs and said program of instructions 
provide comparison of data supplied by said feedback means with the related results calculated in the 
corresponding computer system, and for disabling the particular corresponding output in the event that 60 
the comparison of said feedback data with said calculated results indicates a disparity therebetween. 

3. A multi-computer process control system, comprising a plurality of computer systems, each 
having its own inputs indicative of parameters used as the basis for controlling said process, each 
having outputs by means of which control over the process is effected, each having a data 



60 



BNSDOCID: <GB 2030334A_J_> 



30 



21 ' • " - ' GB 2 030 334 A 21 

communication link for communicating with another one of said computer systems, each of said 
computer systems operating under a program of instructions which provide self test routines for the 
related computer system, recognition^ failures of.the self test routine in the related computer system, 
and establishment of a disabled mode in response to self, test failure, the program of instructions in 
5 eachcomputencapable of providing to another of said computf rs, oyer/saj(J jjata communication link, 5 
values tndicative:of:th»e inputs to said computer, results pf caiculatjgns peTformed'by said computer; 
and indications of the status of said computer whejvn disabled mode/sald^rog^rarn of instructions 
providing fonduplex operation i'ncju^ingxpmparispn fp t each computer of its inpUt v^tttthe input of 
another one of said-cpn^puterj systems pjcoyjded.thVreto ov^r^said .data cpmmumcationlirfk 
10 comparing of -related ley I a ted. results^. each computer system witrj .the correspond calculated 10 
results provided thereto over said data communication link by another 6He of *£afd corrjputer systems in 
the event sard'othe^eomputerisyste/p-jbs not disabled, and establishment of the disabled'mode of 
coperationrin altaf said* com Peters If ,ihe^^ of calculated results in one /of said computers 

indicates a failure of comparison. . . 

1 5 4. A multi-rcornputer^projcess coqtroi system. according to claim 3 jn which said computer systems 1 5 

eachdncludejfeedbacls rneans^asso^iate^WitH^cr} of Its oOtputs'land sard program bf instructions 
prwidercomparisgrvof data ^suppJi^rbY^m^^&iack means with the' related results calculated in the 
" cdrFessppndirrg eomputerssystem.iafld^ particular cbrreSfiondirig output in the event that 

the comparison^* said feedback dataTwith 'said calculated results indicates la disparity therebetween. 
20 j 5. A mu1ti.cornputer ; process i^n^Ls^steiii/in which each cprnputer system comprises: 20 
: a plurality of jri&uts fo^^ 

a plurality .©^outputs corresponding tadiffecent functions to be controlled in said process; - 
feedback pathgrfrom.th^ qutpu|s ; 'to provid^ata to the.computer system indicative of thereffect 
that-the data o^itpujs therefrom^avf pa said' outputs, and : , . .' 

25 -a program ofii^rjjGtionMor^^ plurality of self tests indicativeof the correct operation 25 

> of said computer system,! fqr^^scgiyfi^M^iB ^rp said inputs' and calculating commands in response 
thereto, related.to said outputs; for applying .saicf com mand mariifejstations to -said outputs; for * 
^comparing the feedback data.prqyide^ fee^hqcRpatfis with 'said command manifestations and 
1 . designating discrepancy therebetweenVarid^for disabiingjany one of said outputs in response to a 
30 corresponding feedback failure rnanifest'ati6n, v and for disabling all of said outputs in response to a self 
:*l test .failure manifestation. , . «■,.., . . . j . .T , , 1" ' t , 

6. A multiple computer prQt^ssiiqntrol system accordingjtb claim 5 in which each computer 
further comprises a i^data link for prpvjding data communication with another one of said computer 
systems/and wherein said program of ipstructipns for communicating to another one of said computer 
35 systems the fact that an output of said computer system has been disabled, for communicating f 35 
commands calculated in said computer/syjstem to another of said computer systems and receiving*over ^ 
said data link commands calculated in said other computer system, for comparing the commands ; 
calculated in said computer system with the commands calculated in a said other computer system, for 
providing a zero command to any one pf said outputs^which is djsabled in said computer system, and 
40 for providing a full command to said pthec eprnr^te/ system corresponding to any one of said outputs 
which is disabled in ^ajd computer systenr fbrxdm pa rispn, in said other computer system, with a full 
command calculated in sajd other computer Systerp^^itrV respect to an output corresponding to the 
output of said computer system.whjch has been disabled.*" 
i r l. A multiple computer process control system according to dlaim 6 in which said program of 
45' instructions in each computer system includes instructions for providing a half command, to any one of 45 
. said outputs which is not disabled and the corresponding one of which in said other computer system 
- is not disabled, and for providing a half command to said other computer system, corresponding to any 
such .output which is not disabled in either of said computer systems, for comparison, in said other 
computer system, with a half command calculated in said other computer system with respect to such 
50 corresponding output* 

. 8.: A multiple computer process control system according to claim 5 in which each computer 
further comprises a data link for providing data communication with another one of said computer 
systems, and wherein said program of instructions includes instructions for communicating to another 
one of said computer systems the fact that an output of said computer system has been disabled, for 
55 communicating commands calculated in said computer system to another of said computer systems 55 
and receiving over said data link commands calculated in said other computer system, for comparing 
the commands calculated in said computer system with the commands calculated in said other 
computer system, fqr^roviding a full command to any one of said outputs which corresponds to an 
output associated with said other computer which as been disabled, and for providing a zero command 
60 . to said other computer system corresponding to any one of said outputs in said other computer system 60 
which is disabled for comparison, in said other computer system, with a zero command calculated in 
saidother computer system with respect to said disabled output. 
9. A multiple computer process control system comprising: 

a plurality of computer system, each providing a data link between it and another of said 
65 computer systems, said data link capable of being placed in a temporary wraparound mode, 65 
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cone^X'SStoSE svsST re ' a H tin9 ----^"9 erectly wi th the 
controlled by said ^pSeT^emsr " ' ^ '"^ T 9 ^ ' e ' atin9 

process being 

of said data link testva Wra^roS * !■**•»• to a failure 10 

data: linkitsetf/for a88Umin?a^ib SSlVSl ? 8Ch .^.^WitvW te portion of the : 

disabled mode status to S ot^^ 

said other computer system Surte^aSS 

20. the Piocessbeing.fcoXllS manifestations relating to 

otheHcompater%y S temto S T5S 

for performing said ^S^^X^^!^'^^ 31 system processing time 

40 functiSd^med^^ functions and 

the disabled condition for-c6m^ m ^W^^Z^-M> P'^f^Pftera in other than . 40 
step of by-passing portions df S^^^^^i^^^ c ° mmahds < said 
program steps relating to dangero^SfsS^ 

and communicating dlrectlv w» Tanoft.r ESrfSvT" 9 to *" ,d **«<<»« <* inputs but relating 
» _d,„ g ,„ pl ?, s ^rilnTtc^ 

an ^S^^T^^^^J^J" *• «ta of a„d ptuceaa. ,„.™ be ,„ g 
systems; Tuncnons corresponding to and controlled by each of said computer 

^eceiCd^ 

another one of said computer systems ?eceivino HstI i ? +- P ?* mQ S£ " d data over the data link » 
over the data link from ^bT^^U^^^J^" 0 t0 '" PUtS fr ° m said other 9 rou P of in P"ts 
inputs with the correspond ng da?a jlSS^ftSlSS^^^^ data ° f MCh ° f its related 
60 the data supplied thereto by the niSS^Z ^n^^ and ca,cu,atin 9 commands from 

■a M outputs in response to the input data ^ to corresponding ones of 60 

w.thm an established tolerance of each other ,ndlcatin 9 that the corresponding input data are 

an^d?^ 13,furthercomprising: 
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computer systems operates includes instructions for comparing the data of one of said selected inputs 
with the data of said system input in the event that said corresponding selected inputs do not compare 
within said predetermined tolerance, -and calculating said commands. \r\ the event that said selected 
input data is within said predetermined tolerance of said system input data.^ 
5 1 5. A multiple computer process control system. according tq^claim 14 wherein said program of 5 

instructions under; which each ofsaid computer systems operates includes, instructions 4 or inhibiting 
.the calculation ofsaid commands in the-event that said selected inputdpta is npt.withinusajd 
, predetermined f tplerance*of said system input data? andjfor fading downj. in successive-cycles, the fc 
. previously calculated com 

10 1 6. A multiple computer^rjopes^Gontroi system according to claim -1,4 wherein said.progam of 10 

instructions under which each of said computer system s-operatesjndudes instructions for performing 
a variety of self tests on the related computer system, for disabling the related computer system in the 
r t ,eventof failure pf any of saidself tests, fqrprpyi^jng to t pther ones ; of said cpraputer systems an 
K indication of its disabled status oyer said.data^Hak^ and for utilizing the {selected .input data provided 
1 5 thereto over said data link by another pqe^pfsaid computer systems in the event that said selected 1 5 
input data, associated with jts own mput is.np.tvwithirri saidpredetermined*tolerance ofsaid system 
input data; and said system has not Received ^ry ( indieatipn-of disabled status of said.other computer 
, system^ ~ ;t/ - *".* . ^ , > ■ ■ - •-. 

.17. A multiple computer process control system according to claim 1 3 wherein said program of ~ 
20 instructions under which each of said computer systems operates includes instructions for transferring 20 
* . calculated commands to another one of ,§aid computer systems over said data link, for receiving 
* calculated oomrpands from another pne,of said computer systems over said data link, for comparing 
, . the calculated command with a corresponding command received over said data link and for disabling 
both of said computer systems in the event that said calculated command and said received command 
25 are hot identical. v * , v ,,,N !itlJ ... r ' ir , : .? t . v.»r'.-r ^ • ■•• , 25 

^ ; 18. A multicomputer processing contro! system including a^plurality of computer systems, each 
of sa id computer systems comprising;. ... :-r.r t . v . . . . -j . . 

. s a central processing unit ope/ating r under a program of instructions apd haying interrupt handling 
capability for runnings plurality of assynchrenous, unrelated programs; 
3P r , ,a plurality of memory devices;. t 7 _ , , 30 

a plurality of input sources for providing data to said computer system in response to which said 
. computer-system contributes, to the control of said, process/.- ♦ \. ri- r r 

,a ; direct memory access controller for communicating data between saidjnput sources, at least 
^ one memory of the related computer system and at least one memory of ano.ther.one of said computer 
35. systems; t . o - . : ' 1 ^ ^ 

a master clock providing a variety of clock signals fpr the control of the;related computer system - '<■>•• 
arid a series of real time interrupt commands, the master clock of said computer system being 
interconnected with Jhe.master clock of another one, of said computer systems for recognizing the first 
^ to be generated, specific interrupt command pf any of ; the interconnected master clocks, in all of said 
40 computer systems to thereby synchronize said computer systems on the occurrence of said selected 40 
real time interrupt, said master; clock being connected to said direct memory access controller to 
"synchronize said direct memory access controller with the related CPU of said computer system. 

1 9. A multi-computer process control system- accord) rig, to. claim 18 wherein each of said CPUs 
operates under a program of instructions providing for a background program of self tests and a 

45 plurality of utility programs reached by corresponding jones of said series of real time interrupt ^5 
cpmmands, said master clock providing^said real time.interrupt commands at intervals which are much 
less than the time intervalrequired for the, performance ofsaid background program. 

20. A' multi-computer process control system according to claim 1 9 in which each of said master 
clocks provides said real time interrupts at timed intervals which, are significantly larger than the time 

50 intervals required for the performance ofsaid utility programs, whereby the performance of said utility 50 
programs is interspersed with . the performance of said background program. 
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